remove token completely if refresh token response is invalid

Author: bodewig

Diff for: lib/resty/openidc.lua

@@ -1128,6 +1128,11 @@ local function openidc_access_token(opts, session, try_to_renew)
       local id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session)
       if err then
         ngx.log(ngx.ERR, "invalid id token, discaring refreshed id token")
+        session.data.access_token = nil
+        session.data.access_token_expiration = nil
+        session.data.refresh_token = nil
+        session.data.enc_id_token = nil
+        session.data.id_token = nil
         session:save()
         return nil, err
       end