id_token not generated for client_credentials refresh grant

Author: prasenjit-net

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-memdb v1.2.1
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.6.1
-	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect
+	golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	gopkg.in/square/go-jose.v2 v2.5.1
 )

go.sum

@@ -40,6 +40,8 @@ golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899 h1:DZhuSZLsGlFL4CmhA8BcRA
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a h1:vclmkQCjlDX5OydZ9wv8rBCcS0QyQY66Mpf/7BZbInM=
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9 h1:phUcVbl53swtrUN8kQEXFhUxPlIlWyBfKmidCu7P95o=
+golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -51,6 +53,8 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FY
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=

impl/processors/01_grant_type_validator.go

@@ -25,5 +25,6 @@ func (d *DefaultGrantTypeValidator) HandleTokenEP(_ context.Context, requestCont
 	if grantType == sdk.GrantResourceOwnerPassword && client.IsPublic() {
 		return sdkerror.ErrUnsupportedGrantType.WithDescription("'password' grant not allowed for public client")
 	}
+	requestContext.GetProfile().SetGrantType(grantType)
 	return nil
 }

impl/processors/01_response_type_validator.go

@@ -25,10 +25,12 @@ func (d *DefaultResponseTypeValidator) HandleAuthEP(_ context.Context, requestCo
 			if !approvedGrantTypes.Has(sdk.GrantAuthorizationCode) {
 				return sdkerror.ErrUnsupportedResponseType.WithDescription("'authorization_code' grant not approved")
 			}
+			requestContext.GetProfile().SetGrantType(sdk.GrantAuthorizationCode)
 		} else if responseType == sdk.ResponseTypeToken || responseType == sdk.ResponseTypeIdToken {
 			if !approvedGrantTypes.Has(sdk.GrantImplicit) {
 				return sdkerror.ErrUnsupportedResponseType.WithDebug("'implicit' grant not approved for client")
 			}
+			requestContext.GetProfile().SetGrantType(sdk.GrantImplicit)
 			if responseType == sdk.ResponseTypeIdToken {
 				nonce := requestContext.GetNonce()
 				if nonce == "" {

impl/processors/03_redirect_uri_validator.go

@@ -9,7 +9,7 @@ import (
 type DefaultRedirectURIValidator struct {
 }
 
-func (d *DefaultRedirectURIValidator) HandleRPILogoutEP(ctx context.Context, requestContext sdk.IRPILogoutRequestContext) sdk.IError {
+func (d *DefaultRedirectURIValidator) HandleRPILogoutEP(_ context.Context, requestContext sdk.IRPILogoutRequestContext) sdk.IError {
 	logoutRedirectUri := requestContext.GetPostLogoutRedirectUri()
 	if logoutRedirectUri != "" {
 		client := requestContext.GetClient()

impl/processors/07_issue_id_token.go

@@ -35,9 +35,9 @@ func (d *DefaultIDTokenIssuer) HandleAuthEP(ctx context.Context, requestContext
 }
 
 func (d *DefaultIDTokenIssuer) HandleTokenEP(ctx context.Context, requestContext sdk.ITokenRequestContext) sdk.IError {
-	if requestContext.GetProfile().GetScope().Has(sdk.ScopeOpenid) {
+	profile := requestContext.GetProfile()
+	if profile.GetScope().Has(sdk.ScopeOpenid) && profile.GetGrantType() != sdk.GrantClientCredentials {
 		expiry := requestContext.GetRequestedAt().UTC().Add(d.Lifespan).Round(time.Second)
-		profile := requestContext.GetProfile()
 		client := requestContext.GetClient()
 		tokens := requestContext.GetIssuedTokens()
 		var tClaims map[string]interface{}

user.go

@@ -102,3 +102,10 @@ func (r RequestProfile) GetCodeChallengeMethod() string {
 func (r RequestProfile) SetCodeChallengeMethod(challengeMethod string) {
 	r["code_challenge_method"] = challengeMethod
 }
+func (r RequestProfile) GetGrantType() string {
+	return r["grant_type"]
+}
+
+func (r RequestProfile) SetGrantType(challengeMethod string) {
+	r["grant_type"] = challengeMethod
+}