Support refresh responses with nonce

[patrickpilch]

Describe the bug?

Some authorization servers return an ID token with a nonce after a refresh occurs. Currently the library's default token verifier unconditionally checks the id token against null in a refresh operation. This results in not being able to refresh tokens with this new SDK on the aforementioned authorization servers.

What is expected to happen?

https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#RefreshTokenResponse

it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication, and [...]

Going off the amended spec, the validator should allow for refresh response id tokens to contain a nonce.

What is the actual behavior?

IdTokenValidator.Error.NONCE_MISMATCH is thrown.

Reproduction Steps?

You can reproduce this with Keycloak 21.1.0 by setting up a public client and configuring the sample application to authenticate against it. The "Refresh Access Token" button will result in a failure.

Additional Information?

https://bitbucket.org/openid/connect/issues/1025/ambiguity-with-how-nonce-is-handled-on

SDK Version and Artifact(s) used.

Version 1.1.3

Build Information

No response

[rajdeepnanua-okta]

Hi @patrickpilch, thanks for bringing this to our attention. I will bring this up with our PM and we will prioritize this feature internally.

[JayNewstrom]

You can also change the default behavior by using https://github.com/okta/okta-mobile-kotlin/blob/master/auth-foundation/src/main/java/com/okta/authfoundation/AuthFoundationDefaults.kt#L59-L66