From 02bb01fdf4f2f697813d893066294086c3d608ed Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@daplie.com>
Date: Thu, 16 Mar 2017 17:23:19 -0400
Subject: [PATCH 1/2] note the need for limitations on refresh token

---
 oauth3.issuer.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/oauth3.issuer.js b/oauth3.issuer.js
index dfacf07..680044c 100644
--- a/oauth3.issuer.js
+++ b/oauth3.issuer.js
@@ -420,6 +420,17 @@ OAUTH3.authz.redirectWithToken = function (providerUri, session, clientParams, s
     , debug: clientParams.debug
     }).then(function (results) {
 
+      // TODO limit refresh token to an expirable token
+      // TODO inform client not to persist token
+      /*
+      if (clientParams.dnsTxt) {
+        Object.keys(results).forEach(function (key) {
+          if (/refresh/.test(key)) {
+            results[key] = undefined;
+          }
+        });
+      }
+      */
       OAUTH3.url.redirect(clientParams, scopes, results);
     });
   }

From abb788780d1769093ddf5f1bff0865124cd4b40a Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@daplie.com>
Date: Wed, 22 Mar 2017 20:13:06 -0400
Subject: [PATCH 2/2] bugfix: refresh session and assign sub from sub, acs.id,
 or axs[0].appScopedId

---
 oauth3.core.js   | 10 ++++++++--
 oauth3.issuer.js |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/oauth3.core.js b/oauth3.core.js
index dd3fea9..ed19c50 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -445,13 +445,19 @@
           // info about the newly-discovered token
           oldSession.token = OAUTH3.jwt.decode(oldSession.access_token).payload;
 
-          oldSession.token.sub = oldSession.token.sub || oldSession.token.acx.id;
+          oldSession.token.sub = oldSession.token.sub
+            || (oldSession.token.acx && oldSession.token.acx.id)
+            || (oldSession.token.axs && oldSession.token.axs[0] && oldSession.token.axs[0].appScopedId)
+            ;
           oldSession.token.client_uri = clientUri;
           oldSession.token.provider_uri = providerUri;
 
           if (oldSession.refresh_token) {
             oldSession.refresh = OAUTH3.jwt.decode(oldSession.refresh_token).payload;
-            oldSession.refresh.sub = oldSession.refresh.sub || oldSession.refresh.acx.id;
+            oldSession.refresh.sub = oldSession.refresh.sub
+              || (oldSession.refresh.acx && oldSession.refresh.acx.id)
+              || (oldSession.refresh.axs && oldSession.refresh.axs[0] && oldSession.refresh.axs[0].appScopedId)
+              ;
             oldSession.refresh.provider_uri = providerUri;
           }
 
diff --git a/oauth3.issuer.js b/oauth3.issuer.js
index 680044c..57672d8 100644
--- a/oauth3.issuer.js
+++ b/oauth3.issuer.js
@@ -207,7 +207,7 @@ OAUTH3.urls.grants = function (directive, opts) {
 
   var url = OAUTH3.url.resolve(directive.issuer, directive.grants.url)
     .replace(/(:azp|:client_id)/g, OAUTH3.uri.normalize(opts.client_id || opts.client_uri))
-    .replace(/(:sub|:account_id)/g, opts.session.token.sub)
+    .replace(/(:sub|:account_id)/g, opts.session.token.sub || 'ISSUER:GRANT:TOKEN_SUB:UNDEFINED')
     ;
   var data = {
     client_id: opts.client_id