Using a custom third-party ID token in the JWT Bearer Grant flow to generate a refresh token results in an entry in the T_REFRESH_TOKEN table where the USERID column is set to NULL.

Why does this happen and what is the impact of this issue?

VIP Authentication Hub 3.3.x

The USERID column is set to NULL in the T_REFRESH_TOKEN table because no underlying account has been pre-provisioned yet. The JWT Bearer Grant flow is a back-channel flow. To have an underlying account, the user must be authenticated through a front-channel web flow.

There is no impact when using these refresh tokens to exchange for access tokens or identity tokens. The only limitation is that revoking refresh tokens by USERID is not possible for these tokens.

At the time this article is written, the latest affected VIP Authentication Hub version is 3.4.5. This issue is planned to be resolved in a future VIP Authentication Hub release with an enhanced feature that provides optional support for back-channel user disambiguation, which will allow the account to be provisioned.