From 833e654a07f16b4631973bfb5aa55eb65574b066 Mon Sep 17 00:00:00 2001
From: Faey <1144986+FaeyUmbrea@users.noreply.github.com>
Date: Thu, 20 Mar 2025 10:00:36 +0100
Subject: [PATCH] feat(actions): Add refresh token to post authentication
 action context (#9493)

# Which Problems Are Solved

- Refresh Tokens issued by third party authentication providers are lost

# How the Problems Are Solved

- Allows the existing post authentication action to capture the refresh
token

# Additional Changes

- Docs updated to reflect the new property

# Additional Context

- Partially addresses #7851 by allowing the refresh token to be
captured.

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
---
 docs/docs/apis/actions/external-authentication.md | 2 ++
 internal/api/ui/login/custom_action.go            | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/docs/apis/actions/external-authentication.md b/docs/docs/apis/actions/external-authentication.md
index 6a3a4d5551..114185871b 100644
--- a/docs/docs/apis/actions/external-authentication.md
+++ b/docs/docs/apis/actions/external-authentication.md
@@ -18,6 +18,8 @@ The trigger is represented by the following Ids in the API: `TRIGGER_TYPE_POST_A
 The first parameter contains the following fields
   - `accessToken` *string*  
     The access token returned by the identity provider. This can be an opaque token or a JWT
+  - `refreshToken` *string*  
+    The refresh token returned by the identity provider if there is one. This is most likely to be an opaque token.
   - `claimsJSON()` [*idTokenClaims*](../openidoauth/claims)  
     Returns all claims of the id token
   - `getClaim(key)` *Any*  
diff --git a/internal/api/ui/login/custom_action.go b/internal/api/ui/login/custom_action.go
index 6e8054943e..9451ebb1fc 100644
--- a/internal/api/ui/login/custom_action.go
+++ b/internal/api/ui/login/custom_action.go
@@ -430,7 +430,7 @@ func (l *Login) runPostCreationActions(
 }
 
 func tokenCtxFields(tokens *oidc.Tokens[*oidc.IDTokenClaims]) []actions.FieldOption {
-	var accessToken, idToken string
+	var accessToken, idToken, refreshToken string
 	getClaim := func(claim string) interface{} {
 		return nil
 	}
@@ -443,9 +443,11 @@ func tokenCtxFields(tokens *oidc.Tokens[*oidc.IDTokenClaims]) []actions.FieldOpt
 			actions.SetFields("idToken", idToken),
 			actions.SetFields("getClaim", getClaim),
 			actions.SetFields("claimsJSON", claimsJSON),
+			actions.SetFields("refreshToken", refreshToken),
 		}
 	}
 	accessToken = tokens.AccessToken
+	refreshToken = tokens.RefreshToken
 	idToken = tokens.IDToken
 	if tokens.IDTokenClaims != nil {
 		getClaim = func(claim string) interface{} {
@@ -464,6 +466,7 @@ func tokenCtxFields(tokens *oidc.Tokens[*oidc.IDTokenClaims]) []actions.FieldOpt
 		actions.SetFields("idToken", idToken),
 		actions.SetFields("getClaim", getClaim),
 		actions.SetFields("claimsJSON", claimsJSON),
+		actions.SetFields("refreshToken", refreshToken),
 	}
 }