From 4980869977302612c77518adbd6351f568c264a4 Mon Sep 17 00:00:00 2001
From: Tim Klocke <taaem@mailbox.org>
Date: Sat, 24 May 2025 18:05:57 +0200
Subject: [PATCH] cmd/tsidp: Fix sending string for refresh_token

In accordance with the OIDC/OAuth 2.0 protocol, do not send an empty
refresh_token and instead omit the field when empty.

Fixes https://github.com/tailscale/tailscale/issues/16073

Signed-off-by: Tim Klocke <taaem@mailbox.org>
---
 cmd/tsidp/tsidp.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/tsidp/tsidp.go b/cmd/tsidp/tsidp.go
index e2b777fa1..2d9450e96 100644
--- a/cmd/tsidp/tsidp.go
+++ b/cmd/tsidp/tsidp.go
@@ -795,7 +795,7 @@ type oidcTokenResponse struct {
 	IDToken      string `json:"id_token"`
 	TokenType    string `json:"token_type"`
 	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
+	RefreshToken string `json:"refresh_token,omitempty"`
 	ExpiresIn    int    `json:"expires_in"`
 }