check that we really receive RT

internal/model/apiError.go

@@ -12,8 +12,9 @@ type APIError struct {
 
 // Predefined errors
 var (
-	APIErrorUnknownIssuer = APIError{ErrorInvalidRequest, "The provided issuer is not supported"}
-	APIErrorStateMismatch = APIError{ErrorInvalidRequest, "State mismatched"}
+	APIErrorUnknownIssuer  = APIError{ErrorInvalidRequest, "The provided issuer is not supported"}
+	APIErrorStateMismatch  = APIError{ErrorInvalidRequest, "State mismatched"}
+	APIErrorNoRefreshToken = APIError{ErrorOIDC, "Did not receive a refresh token"}
 )
 
 // Predefined OAuth2/OIDC errors

internal/oidc/authcode/authcode.go

@@ -147,7 +147,12 @@ func CodeExchange(state, code string, networkData model.NetworkData) model.Respo
 		}
 		return model.ErrorToInternalServerErrorResponse(err)
 	}
-	//TODO check if we got a RT
+	if token.RefreshToken == "" {
+		return model.Response{
+			Status:   fiber.StatusInternalServerError,
+			Response: model.APIErrorNoRefreshToken,
+		}
+	}
 	oidcSub, err := getSubjectFromUserinfo(provider.Provider, token)
 	if err != nil {
 		return model.ErrorToInternalServerErrorResponse(err)