500 Error on Refresh Token Request in Device Code Flow When Using openid Scope

[VedantPinggy]

Describe the bug

When using the Device Code flow with the openid scope, a 500 Internal Server Error occurs during the refresh token step. This happens because the Device Code flow does not issue an ID token, but the presence of the openid scope leads the server to incorrectly expect one during the refresh.

To Reproduce

Start the Device Code flow with the openid scope included.

Complete user authorization and receive the initial token response.

Attempt to use the refresh token to get new tokens.

Expected behavior

The token endpoint should handle the refresh request correctly, even if no ID token was issued in the original Device Code flow. Including the openid scope should not lead to a server error if an ID token was never provided.

[jgrandja]

@VedantPinggy

The device_code grant is not supported by OIDC and therefore sending the openid scope in the device authorization request is invalid. Nevertheless, a NPE should not occur during a refresh_token grant request.

Would you be interested in submitting a PR for this fix?

[VedantPinggy]

Would you be interested in submitting a PR for this fix?

Yes, I’d be happy to submit a PR.

[jgrandja]

Thank you @VedantPinggy. I've assigned the issue to you.