fix: Omit non-standard, empty fields in RefreshTokenRequest
when performing a token refresh
#599
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The OIDC spec's definition of a refresh request does not include
client_assertion
orclient_assertion_type
as valid parameters for the refresh request. See request format here: https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken. The document only displaysclient_id
,client_secret
,grant_type
,refresh_token
, andscope
as acceptable parameters.Therefore, I propose we add the
omitempty
tags to theClientAssertion
andClientAssertionType
fields inRefreshTokenRequest
, so that the token refresh functionality provided byrp.RefreshTokens
can work with identity providers that may have additional logic or different expectations when these fields are included in the refresh token request.For example, when attempting to construct an OIDC client via
rp.RelyingParty
against an Okta identity provider, I ran into issues when performing refresh withrp.RefreshTokens
. The Okta identity provider returnedhttp status not ok: 400 Bad Request {"error":"invalid_request","error_description":"The client_assertion_type is invalid."}
as an error. I assume I'm receiving this error because I'm calling theRefreshTokens
func withclientAssertion=""
andclientAssertionType=""
; the addition of theomitempty
tags resolves this issue and hopefully future proofs this library against other identity providers that have the same behavior.Definition of Ready