Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project'sCode of Conduct.
• I have read and am following this repository'sContribution Guidelines.
• This issue affects myOry Network project.
• I have joined theOry Community Slack.
• I am signed up to theOry Security Patch Newsletter.

Describe the bug

The requester ID for the Requester used in the refresh token flow should use the same ID as the original requester object. This is currently set just before theCreateRefreshTokenSession is called in the "Populate" step.

Problems -

1. Implies that anything outside the refresh token handler is unaware of the original request's ID, which may play a part in populating audit records, other token sessions - such as the upcomingdevice secret, etc.
2. Inconsistent with the auth code flow, where the token handler populates the ID in theright location based on the AuthorizeRequester.

Alternatives -

• Where needed, call GetRefreshTokenSession again. This is potentially expensive, especially given the implementations in Hydra and others that call into the DB whenever this is invoked. This can be worked around if the implementer caches the refresh token session in the Go context and looks it up if the same function is invoked within the same request.

Resolution -

• Addrequest.SetID(originalRequest.GetID()) beforehttps://github.com/ory/fosite/blob/master/handler/oauth2/flow_refresh.go#L80

Reproducing the bug

This is not a bug that can be recreated without adding new handlers that consume the original request ID at specific places, such as at the end of token generation or request validation (NewAccessRequest).

Relevant log output

N/A

Relevant configuration

N/A

Version

N/A

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Binary

Additional Context

No response