id_token in response from refresh token request

[guwer]

Question / Issue

In version 2.6.0 id_token in response from refresh token request was added (in #3458). I think this should be at least disabled by default or removed because now it is not possible to get id token in password grant but with refresh_token grant I receive id token whether I want it or not.

[leastprivilege]

We are aware of this bug - not sure yet when we'll have time to fix it.

You can send a PR if you want to fix it yourself. It's the same as here:
https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/ResponseHandling/TokenResponseGenerator.cs#L179

[guwer]

One question. Why the id token was introduced in the refresh token response in the first place? I suppose it was for authorization code grant. If yes the fix would be to add the id token to a response only if the refresh token was issued in code grant. Is it possible to detect such a case? Additionally an option to disable/enable such a behavior.

[leastprivilege]

because https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

[guwer]

OK, so to fix this, the part that "Token Response (...) might not contain an id_token." needs to be implemented.