Skip to content

Refresh token flow handler does not set the original request ID in the handler early enough #754

Description

@vivshankar

Preflight checklist

Describe the bug

The requester ID for the Requester used in the refresh token flow should use the same ID as the original requester object. This is currently set just before the CreateRefreshTokenSession is called in the "Populate" step.

Problems -

  1. Implies that anything outside the refresh token handler is unaware of the original request's ID, which may play a part in populating audit records, other token sessions - such as the upcoming device secret, etc.
  2. Inconsistent with the auth code flow, where the token handler populates the ID in the right location based on the AuthorizeRequester.

Alternatives -

  • Where needed, call GetRefreshTokenSession again. This is potentially expensive, especially given the implementations in Hydra and others that call into the DB whenever this is invoked. This can be worked around if the implementer caches the refresh token session in the Go context and looks it up if the same function is invoked within the same request.

Resolution -

Reproducing the bug

This is not a bug that can be recreated without adding new handlers that consume the original request ID at specific places, such as at the end of token generation or request validation (NewAccessRequest).

Relevant log output

N/A

Relevant configuration

N/A

Version

N/A

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Binary

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething is not working.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions