500 response code when refresh token does not exist

[nrwiersma]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.41.1

Storage Type

etcd

Installation Type

Official Helm chart

Expected Behavior

Trying to refresh a token when no upstream refresh token returns a 4xx status code, most likely 400.

Actual Behavior

When no refresh token exists, a 500 status code is returned, causing service monitoring to start alerting.

Steps To Reproduce

1. Setup an upstream provider without offline_access scope.
2. Try refresh the dex token.

Additional Information

The issue is being cause by this:

dex/server/refreshhandlers.go

Lines 317 to 321 in 5a9d27c

	err := s.storage.UpdateRefreshToken(ctx, rCtx.storageToken.ID, refreshTokenUpdater)
	if err != nil {
	s.logger.ErrorContext(ctx, "failed to update refresh token", "err", err)
	return nil, ident, newInternalServerError()
	}

The OIDC connector, or any connector for that matter, is unable to indicate an non-500 error has occurred. I also did not find any sentinel errors that could be returned instead.

Configuration

Logs

2025-01-30 17:17:22.480	time=2025-01-30T16:17:22.480Z level=ERROR msg="failed to update refresh token" err="refresh token error: status 500, \"invalid_request\" " request_id=73e82ef5-fc5e-4e99-a9af-440e874c7db2
2025-01-30 17:17:22.480	time=2025-01-30T16:17:22.480Z level=ERROR msg="failed to refresh identity" err="oidc: failed to get refresh token: oauth2: token expired and refresh token is not set" request_id=73e82ef5-fc5e-4e99-a9af-440e874c7db2
2025-01-30 17:17:22.297	time=2025-01-30T16:17:22.297Z level=ERROR msg="failed to update refresh token" err="refresh token error: status 500, \"invalid_request\" " request_id=19d11223-7a9b-42f1-8ac8-1d84a1a7650e
2025-01-30 17:17:22.297	time=2025-01-30T16:17:22.297Z level=ERROR msg="failed to refresh identity" err="oidc: failed to get refresh token: oauth2: token expired and refresh token is not set" request_id=19d11223-7a9b-42f1-8ac8-1d84a1a7650e
2025-01-30 17:17:19.290	time=2025-01-30T16:17:19.289Z level=ERROR msg="failed to update refresh token" err="refresh token error: status 500, \"invalid_request\" " request_id=b793b563-ab8d-4628-aada-a3783f419a70
2025-01-30 17:17:19.290	time=2025-01-30T16:17:19.289Z level=ERROR msg="failed to refresh identity" err="oidc: failed to get refresh token: oauth2: token expired and refresh token is not set" request_id=b793b563-ab8d-4628-aada-a3783f419a70
2025-01-30 17:17:17.300	time=2025-01-30T16:17:17.300Z level=ERROR msg="failed to update refresh token" err="refresh token error: status 500, \"invalid_request\" " request_id=a9f83f4e-53bf-44d6-92a8-5b6350aa2ea0
2025-01-30 17:17:17.300	time=2025-01-30T16:17:17.300Z level=ERROR msg="failed to refresh identity" err="oidc: failed to get refresh token: oauth2: token expired and refresh token is not set" request_id=a9f83f4e-53bf-44d6-92a8-5b6350aa2ea0