OIDC extension not releasing refresh token

Wessel, Keith kwessel at illinois.edu
Fri Sep 4 17:04:39 UTC 2020


Hi, all,

I'm helping the IdP operator from another of our campuses integrate with a mobile app that's already working with our IdP. When the client hits the other IdP's token endpoint, it gets back an access token and an ID token, but it gets not refresh token. It gets a refresh token from our IdP, just not from the other campus's IdP.

The only difference between our integration and theirs is that, for us, the client dynamically registered while it was manually added to the IdP on the other campus.

We've check the IdP configuration, and we aren't explicitly disabling refresh tokens per profile configuration predicate. I'm at a loss as to why else the refresh token wouldn't be included.

The dynamic client registration against our IdP only has a response type of "code" set. Just for the heck of it, I had the other campus's IdP operator add id_token and token to the list of response types in the manually registered client metadata. This caused other errors from the IdP:

Profile Action ValidateResponseType: The response type id_token token is not registered for this RP

Can anyone offer any suggestions on why the IdP isn't releasing a refresh token to this client?

Thanks,
Keith



More information about the users mailing list