Preflight checklist
Describe the bug
The requester ID for the Requester used in the refresh token flow should use the same ID as the original requester object. This is currently set just before the CreateRefreshTokenSession is called in the "Populate" step.
Problems -
- Implies that anything outside the refresh token handler is unaware of the original request's ID, which may play a part in populating audit records, other token sessions - such as the upcoming device secret, etc.
- Inconsistent with the auth code flow, where the token handler populates the ID in the right location based on the AuthorizeRequester.
Alternatives -
- Where needed, call GetRefreshTokenSession again. This is potentially expensive, especially given the implementations in Hydra and others that call into the DB whenever this is invoked. This can be worked around if the implementer caches the refresh token session in the Go context and looks it up if the same function is invoked within the same request.
Resolution -
Reproducing the bug
This is not a bug that can be recreated without adding new handlers that consume the original request ID at specific places, such as at the end of token generation or request validation (NewAccessRequest).
Relevant log output
Relevant configuration
Version
N/A
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Binary
Additional Context
No response
Preflight checklist
Describe the bug
The requester ID for the Requester used in the refresh token flow should use the same ID as the original requester object. This is currently set just before the
CreateRefreshTokenSessionis called in the "Populate" step.Problems -
Alternatives -
Resolution -
request.SetID(originalRequest.GetID())before https://github.com/ory/fosite/blob/master/handler/oauth2/flow_refresh.go#L80Reproducing the bug
This is not a bug that can be recreated without adding new handlers that consume the original request ID at specific places, such as at the end of token generation or request validation (
NewAccessRequest).Relevant log output
Relevant configuration
N/AVersion
N/A
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Binary
Additional Context
No response