From 50fbb50288c08cbffea6c3f2b819f9eae0389369 Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@element.io>
Date: Fri, 11 Mar 2022 17:49:03 +0000
Subject: [PATCH] fix: handle case of refresh token response not containing
 id_token

---
 src/ResponseValidator.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/ResponseValidator.ts b/src/ResponseValidator.ts
index efc889b03..f4f77c2bf 100644
--- a/src/ResponseValidator.ts
+++ b/src/ResponseValidator.ts
@@ -78,7 +78,9 @@ export class ResponseValidator {
         // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request
         response.scope ??= state.scope;
 
-        if (response.isOpenId) {
+        // OpenID Connect Core 1.0 says that id_token is optional in refresh response:
+        // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
+        if (response.isOpenId && !!response.id_token) {
             this._validateIdTokenAttributes(response, state.id_token);
         }
         logger.debug("tokens validated");