feat: add ability to allow token refresh from hook without overriding the session claims

oauth2/hook.go

@@ -95,7 +95,10 @@ func RefreshTokenHook(config *config.DefaultProvider) AccessRequestHook {
 
 		switch resp.StatusCode {
 		case http.StatusOK:
-			// We only accept '200 OK' here. Any other status code is considered an error.
+			// Token refresh permitted with new session data
+		case http.StatusNoContent:
+			// Token refresh is permitted without overriding session data
+			return nil
 		case http.StatusForbidden:
 			return errorsx.WithStack(
 				fosite.ErrAccessDenied.

oauth2/oauth2_auth_code_test.go

@@ -968,6 +968,31 @@ func TestAuthCodeWithMockStrategy(t *testing.T) {
 						require.True(t, gjson.GetBytes(idTokenBody, "hooked").Bool())
 					})
 
+					t.Run("should not override session data if token refresh hook returns no content", func(t *testing.T) {
+						hs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+							w.WriteHeader(http.StatusNoContent)
+						}))
+						defer hs.Close()
+
+						conf.MustSet(ctx, config.KeyRefreshTokenHookURL, hs.URL)
+						defer conf.MustSet(ctx, config.KeyRefreshTokenHookURL, nil)
+
+						origAccessTokenClaims := testhelpers.IntrospectToken(t, oauthConfig, &refreshedToken, ts)
+
+						res, err := testRefresh(t, &refreshedToken, ts.URL, false)
+						require.NoError(t, err)
+						assert.Equal(t, http.StatusOK, res.StatusCode)
+
+						body, err = ioutil.ReadAll(res.Body)
+						require.NoError(t, err)
+
+						require.NoError(t, json.Unmarshal(body, &refreshedToken))
+
+						refreshedAccessTokenClaims := testhelpers.IntrospectToken(t, oauthConfig, &refreshedToken, ts)
+
+						assert.Equal(t, origAccessTokenClaims, refreshedAccessTokenClaims)
+					})
+
 					t.Run("should fail token refresh with `server_error` if hook fails", func(t *testing.T) {
 						hs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 							w.WriteHeader(http.StatusInternalServerError)