Refresh Token Does Not Return Nonce

Issue / Steps to reproduce the problem

Calling Refresh Token with a nonce in the request does not return a nonce.

OpenID Connect Core Section 2 states:

If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request.

Relevant parts of the log file

2018-03-27 16:29:45.182 -05:00 [INF] ValidatedAuthorizeRequest
{
  "ClientId": "native.code",
  "ClientName": "Native Code",
  "RedirectUri": "redacted-app://oauth-callback/",
  "AllowedRedirectUris": [
    "redacted-app://oauth-callback/"
  ],
  "SubjectId": "redacted",
  "ResponseType": "code",
  "ResponseMode": "query",
  "GrantType": "authorization_code",
  "RequestedScopes": "openid redacted offline_access",
  "State": "Sulxc0EcL85Hu_gbQiK7ATf7kG9jCQKiwfxf3Owd_cc",
  "Nonce": "okfVh2Fd2up_lmJPQ_YcsG6JXUDdn6LAUEIlsny9jEE",
  "Raw": {
    "nonce": "okfVh2Fd2up_lmJPQ_YcsG6JXUDdn6LAUEIlsny9jEE",
    "response_type": "code",
    "code_challenge_method": "S256",
    "scope": "openid redacted offline_access",
    "code_challenge": "onjmf4iyxfZyl182EOBDZQ7E3tRqrxSZYCUQpFMF3bo",
    "redirect_uri": "redacted://oauth-callback/",
    "client_id": "native.code",
    "state": "Sulxc0EcL85Hu_gbQiK7ATf7kG9jCQKiwfxf3Owd_cc"
  }
}
2018-03-27 16:29:49.734 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
2018-03-27 16:29:49.743 -05:00 [INF] Token request validation success
{
  "ClientId": "native.code",
  "ClientName": "Native Code",
  "GrantType": "refresh_token",
  "RefreshToken": "fbe9280ef6ac22a04b605688929d842c4db72fa241b0161bcc37d22d29f638e7",
  "Raw": {
    "refresh_token": "fbe9280ef6ac22a04b605688929d842c4db72fa241b0161bcc37d22d29f638e7",
    "scope": "openid redacted offline_access",
    "redirect_uri": "redacted://oauth-callback/",
    "client_id": "native.code",
    "grant_type": "refresh_token"
  }
}

[brockallen]

Isn't that statement from the spec at the time the code is being exchanged for the access & refresh token? I don't think that's at the time a refresh token is being exchanged for a new access token.

@WilliamDenniss - Reading back through, this makes sense as to not pertaining to a refresh token request

[brockallen]

So then can we close this issue?

[WilliamDenniss]

Agreed. This is how Google has implemented it too.

When the point was raised earlier, I thought the error was on the authorization_code exchange, not refresh_token. Looking at the spec, it is a little ambiguous, but I think the intention is that it's only the code exchange (and that's how everyone has implemented it).

Thanks for the discussion!

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.