Skip to content

Use old id_token if new id_token not in refresh response #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Use old id_token if new id_token not in refresh response #629

wants to merge 4 commits into from

Conversation

wryrye
Copy link

@wryrye wryrye commented Aug 1, 2024
edited
Loading

Description

In the case where a new id_token is not present in a refresh response, let's avoid setting id_token to undefined and instead use the old id_token!

References

Issue: #628

Testing

  1. Make a refresh request (req.oidc.accessToken.refresh()) where the response is missing an id_token
  2. Confirm subsequent accesses of req.oidc.idToken and req.oidc.user are NOT undefined
  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@wryrye wryrye marked this pull request as ready for review August 1, 2024 17:54
@wryrye wryrye requested a review from a team as a code owner August 1, 2024 17:54
@kushalshit27 kushalshit27 requested a review from a team as a code owner July 18, 2025 06:25
@kushalshit27 kushalshit27 requested review from Copilot and removed request for a team July 18, 2025 06:50
Copilot
Copilot AI reviewed Jul 18, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes an issue where the id_token would be set to undefined when a refresh response doesn't include a new ID token. The change ensures the existing valid ID token is preserved in such cases.

  • Updates the token refresh logic to fallback to the old id_token when a new one isn't provided
  • Maintains consistency with the existing fallback pattern used for refresh_token
Comments suppressed due to low confidence (1)

lib/context.js:54

  • The new fallback logic for ID tokens lacks test coverage. Based on the PR description, tests should be added to verify that req.oidc.idToken and req.oidc.user remain accessible when refresh responses don't include an id_token.
    id_token: newTokenSet.id_token || oldTokenSet.id_token,

lib/context.js
access_token: newTokenSet.access_token,
// If no new ID token assume the current ID token is valid.
id_token: newTokenSet.id_token || oldTokenSet.id_token,
Copy link
Preview

Copilot AI Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the old ID token without validating its expiration could lead to security issues. Consider checking if the old ID token is still valid (not expired) before using it as a fallback.

Suggested change
id_token: newTokenSet.id_token || oldTokenSet.id_token,
id_token: newTokenSet.id_token || (isTokenValid(oldTokenSet.id_token) ? oldTokenSet.id_token : undefined),

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wryrye @kushalshit27