bugfix: refresh session and assign sub from sub, acs.id, or axs[0].appScopedId

oauth3.core.js

@@ -445,13 +445,19 @@
           // info about the newly-discovered token
           oldSession.token = OAUTH3.jwt.decode(oldSession.access_token).payload;
 
-          oldSession.token.sub = oldSession.token.sub || oldSession.token.acx.id;
+          oldSession.token.sub = oldSession.token.sub
+            || (oldSession.token.acx && oldSession.token.acx.id)
+            || (oldSession.token.axs && oldSession.token.axs[0] && oldSession.token.axs[0].appScopedId)
+            ;
           oldSession.token.client_uri = clientUri;
           oldSession.token.provider_uri = providerUri;
 
           if (oldSession.refresh_token) {
             oldSession.refresh = OAUTH3.jwt.decode(oldSession.refresh_token).payload;
-            oldSession.refresh.sub = oldSession.refresh.sub || oldSession.refresh.acx.id;
+            oldSession.refresh.sub = oldSession.refresh.sub
+              || (oldSession.refresh.acx && oldSession.refresh.acx.id)
+              || (oldSession.refresh.axs && oldSession.refresh.axs[0] && oldSession.refresh.axs[0].appScopedId)
+              ;
             oldSession.refresh.provider_uri = providerUri;
           }
 

oauth3.issuer.js

@@ -207,7 +207,7 @@ OAUTH3.urls.grants = function (directive, opts) {
 
   var url = OAUTH3.url.resolve(directive.issuer, directive.grants.url)
     .replace(/(:azp|:client_id)/g, OAUTH3.uri.normalize(opts.client_id || opts.client_uri))
-    .replace(/(:sub|:account_id)/g, opts.session.token.sub)
+    .replace(/(:sub|:account_id)/g, opts.session.token.sub || 'ISSUER:GRANT:TOKEN_SUB:UNDEFINED')
     ;
   var data = {
     client_id: opts.client_id