chore(refresh): remove unneeded logic, add comment for clarification

fence/oidc/grants/refresh_token_grant.py

@@ -140,6 +140,13 @@ def create_token_response(self):
             client, self.GRANT_TYPE, user=user, expires_in=expires_in, scope=scope
         )
 
+        # replace the newly generated refresh token with the one provided
+        # this prevents refreshing a refresh token in order to meet
+        # the security requirement that users must authenticate every
+        # 30 days
+        #
+        # TODO: this could be handled differently, we could track last authN
+        #       and still allow refreshing refresh tokens
         if self.GRANT_TYPE == "refresh_token":
             token["refresh_token"] = self.request.data.get("refresh_token", "")
 

fence/oidc/jwt_generator.py

@@ -46,12 +46,8 @@ def generate_token(client, grant_type, **kwargs):
             claims (to avoid having to encode or decode the refresh token
             here)
     """
-    if grant_type == "authorization_code":
+    if grant_type == "authorization_code" or grant_type == "refresh_token":
         return generate_token_response(client, grant_type, **kwargs)
-    elif grant_type == "refresh_token":
-        tokens = generate_token_response(client, grant_type, **kwargs)
-        tokens["refresh_token"] = ""
-        return tokens
     elif grant_type == "implicit":
         return generate_implicit_response(client, grant_type, **kwargs)
 
@@ -64,7 +60,7 @@ def generate_implicit_response(
     user=None,
     scope=None,
     nonce=None,
-    **kwargs
+    **kwargs,
 ):
     # prevent those bothersome "not bound to session" errors
     if user not in current_session:
@@ -131,7 +127,7 @@ def generate_token_response(
     nonce=None,
     refresh_token=None,
     refresh_token_claims=None,
-    **kwargs
+    **kwargs,
 ):
     # prevent those bothersome "not bound to session" errors
     if user not in current_session: