fix: #754 preserve id_token and profile even if no openid is in scope…

… of refresh request
authts · Nov 15, 2022 · 47b4fa1 · 47b4fa1
1 parent 2e49894
commit 47b4fa1
Showing 1 changed file with 10 additions and 12 deletions.
diff --git a/src/ResponseValidator.ts b/src/ResponseValidator.ts
@@ -95,20 +95,18 @@ export class ResponseValidator {
         // OpenID Connect Core 1.0 says that id_token is optional in refresh response:
         // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
         if (response.isOpenId) {
-            if (response.id_token) {
-                this._validateIdTokenAttributes(response, state.id_token);
-                logger.debug("ID Token validated");
-            }
-            else {
-                // if there's no id_token on the response, copy over id_token from original request
-                response.id_token = state.id_token;
-                // and decoded part too
-                response.profile = state.profile;
-            }
+            this._validateIdTokenAttributes(response, state.id_token);
+            logger.debug("ID Token validated");
+        }
+
+        if (!response.id_token) {
+            // if there's no id_token on the response, copy over id_token from original request
+            response.id_token = state.id_token;
+            // and decoded part too
+            response.profile = state.profile;
         }
 
-        const hasIdToken = response.isOpenId && !!response.id_token;
-        await this._processClaims(response, false, hasIdToken);
+        await this._processClaims(response, false, response.isOpenId);
         logger.debug("claims processed");
     }