fix: handle case of refresh token response not containing id_token

kyxyes · Mar 11, 2022 · 50fbb50 · 50fbb50
1 parent 2d5bde0
commit 50fbb50
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/ResponseValidator.ts b/src/ResponseValidator.ts
@@ -78,7 +78,9 @@ export class ResponseValidator {
         // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request
         response.scope ??= state.scope;
 
-        if (response.isOpenId) {
+        // OpenID Connect Core 1.0 says that id_token is optional in refresh response:
+        // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
+        if (response.isOpenId && !!response.id_token) {
             this._validateIdTokenAttributes(response, state.id_token);
         }
         logger.debug("tokens validated");