id token not optional for refresh token grant
Using the Hybrid workflow, it's my understanding that the id_token is optional in the response to a refresh grant request to the token endpoint.
However, I receive a "Couldn't parse ID token" exception if the OP response is only an access token and refresh token (com.nimbusds.openid.connect.sdk.token.OIDCTokens.parse()). It's also clear from the calling classes that they expect an id_token.
Should this not be an option?
Comments (6)
-
-
reporter Perhaps I'm missing something then. I am making an Token request with a AuthorizationGrant of type RefreshTokenGrant and getting a response which only has refresh/access token.
I'm using the connect 2 id OIDC SDK using the OIDCTokenResponseParser(httpResponse) to process the response, which throws the exception as no id_token is included .
Or should I be using some other approach/class in the SDK to parse the token response for a refresh grant where only refresh/access tokens are included?
-
To process token responses with access (and optional refresh token) only, use the base OAuth 2.0 TokenResponse.parse method:
-
(which OIDCTokenResponse extends)
-
reporter Understood...
-
- changed status to invalid
Closing as invalid
- Log in to comment
If you're speaking of the token response, an id_token is always returned there in exchange for a authZ code. The id_token is optional for the refresh token grant.
http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
Whether an id_token is returned via the front-channel (in the auth response) is determined by the presence of id_token in the response_type request parameter.