closes #781

IdentityServer · Feb 15, 2017 · 91cc7ee · 91cc7ee
1 parent d8ba99c
commit 91cc7ee
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 11 deletions.
diff --git a/src/IdentityServer4/ResponseHandling/TokenResponseGenerator.cs b/src/IdentityServer4/ResponseHandling/TokenResponseGenerator.cs
@@ -225,18 +225,24 @@ private async Task<Tuple<string, string>> CreateAccessTokenAsync(ValidatedTokenR
 
         private async Task<string> CreateIdTokenFromRefreshTokenRequestAsync(ValidatedTokenRequest request, string newAccessToken)
         {
-            var oldAccessToken = request.RefreshToken.AccessToken;
-            var tokenRequest = new TokenCreationRequest
+            var resources = await _resources.FindResourcesByScopeAsync(request.RefreshToken.Scopes);
+            if (resources.IdentityResources.Any())
             {
-                Subject = request.RefreshToken.Subject,
-                Client = request.Client,
-                Resources = await _resources.FindEnabledResourcesByScopeAsync(oldAccessToken.Scopes),
-                ValidatedRequest = request,
-                AccessTokenToHash = newAccessToken
-            };
+                var oldAccessToken = request.RefreshToken.AccessToken;
+                var tokenRequest = new TokenCreationRequest
+                {
+                    Subject = request.RefreshToken.Subject,
+                    Client = request.Client,
+                    Resources = await _resources.FindEnabledResourcesByScopeAsync(oldAccessToken.Scopes),
+                    ValidatedRequest = request,
+                    AccessTokenToHash = newAccessToken
+                };
+
+                var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
+                return await _tokenService.CreateSecurityTokenAsync(idToken);
+            }
 
-            var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
-            return await _tokenService.CreateSecurityTokenAsync(idToken);
+            return null;
         }
     }
 }
diff --git a/test/IdentityServer.IntegrationTests/Clients/RefreshTokenClient.cs b/test/IdentityServer.IntegrationTests/Clients/RefreshTokenClient.cs
@@ -30,7 +30,7 @@ public RefreshTokenClient()
         }
 
         [Fact]
-        public async Task requesting_a_refresh_token_should_return_expected_results()
+        public async Task requesting_a_refresh_token_without_identity_scopes_should_return_expected_results()
         {
             var client = new TokenClient(
                 TokenEndpoint,
@@ -48,6 +48,32 @@ public async Task requesting_a_refresh_token_should_return_expected_results()
 
             response = await client.RequestRefreshTokenAsync(response.RefreshToken);
 
+            response.IsError.Should().BeFalse();
+            response.ExpiresIn.Should().Be(3600);
+            response.TokenType.Should().Be("Bearer");
+            response.IdentityToken.Should().BeNull();
+            response.RefreshToken.Should().NotBeNull();
+        }
+
+        [Fact]
+        public async Task requesting_a_refresh_token_with_identity_scopes_should_return_expected_results()
+        {
+            var client = new TokenClient(
+                TokenEndpoint,
+                "roclient",
+                "secret",
+                innerHttpMessageHandler: _handler);
+
+            var response = await client.RequestResourceOwnerPasswordAsync("bob", "bob", "openid api1 offline_access");
+
+            response.IsError.Should().BeFalse();
+            response.ExpiresIn.Should().Be(3600);
+            response.TokenType.Should().Be("Bearer");
+            response.IdentityToken.Should().BeNull();
+            response.RefreshToken.Should().NotBeNull();
+
+            response = await client.RequestRefreshTokenAsync(response.RefreshToken);
+
             response.IsError.Should().BeFalse();
             response.ExpiresIn.Should().Be(3600);
             response.TokenType.Should().Be("Bearer");