Optional ID token should not be required on token refresh

[anderius]

Our setup fails to refresh tokens, simply because our IdP does not return id_token in the refresh token response.

As can be seen here, that is optional: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.

The code here, however, requires id_token:

nginx-openid-connect/openid_connect.js

Lines 85 to 92 in afa8f4c

	if (!tokenset.id_token) {
	r.error("OIDC refresh response did not include id_token");
	if (tokenset.error) {
	r.error("OIDC " + tokenset.error + " " + tokenset.error_description);
	}
	r.variables.refresh_token = "-";
	r.return(302, r.variables.request_uri);
	return;

It would be nice if id_token was not required.

[anderius]

Another very related issue with the code is that it uses the id token in the variable session_jwt, and that is used in validating each request:

nginx-openid-connect/frontend.conf

Line 21 in afa8f4c

auth_jwt "" token=$session_jwt;

This does not work when the id-token is not refreshed.