Feature: Make event.refresh_token.id
available every time an access token is generated.
Description: During oauth2-refresh-token
, event.refresh_token.id
is always available. However, during oidc-basic-profile
it isn’t (as the refresh token hasn’t been generated yet). Would be great to be able to get the id of the refresh token that is going to be generated already during oidc-basic-profile
. Alternatively, have the post-login action be triggered also after an authorization code is converted into access and refresh tokens so that we can capture the refresh token id.
Use-case: I want the API that receives and validates the requests with the access tokens to be able to distinguish among requests coming from different authorizations of the same user. This is currently possible in most cases by adding a custom claim on each access token and use the refresh token id to identify the authorization they are from. However, because the refresh token id is not currently available during oidc-basic-profile
it is not currently possible to add it as a custom claim on the very first access token. Thus, there is no way to identify which authorization it is from (in case there are multiple from the same user).
More info of the use case can be found here.