Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, I think this is kinda done. TestShouldRefreshOIDCToken tests if shouldRefreshOIDCToken returns true/false. Which is the equivalent of "refresh attempted".

Then this more e2e style test with a real idp is checking if the underlying oauth library actually does the refresh.

What I should add is a check for the updated expiration time + access token change on the db row. Which also addresses your comment