Return refresh token only if we issue one

According to https://tools.ietf.org/html/rfc6749#section-5.1, refresh_token parameter is OPTIONAL, so do not return one with null value in case we don't issue a refresh token
IdentityPython · Oct 12, 2017 · f696187 · f696187
1 parent cf57877
commit f696187
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/pyop/provider.py b/src/pyop/provider.py
@@ -357,7 +357,9 @@ def _do_code_exchange(self, request,  # type: Dict[str, str]
 
         access_token = self.authz_state.exchange_code_for_token(token_request['code'])
         self._add_access_token_to_response(response, access_token)
-        response['refresh_token'] = self.authz_state.create_refresh_token(access_token.value)
+        refresh_token = self.authz_state.create_refresh_token(access_token.value)
+        if refresh_token is not None:
+            response['refresh_token'] = refresh_token
 
         if extra_id_token_claims is None:
             extra_id_token_claims = {}