fix(openIDConnect scheme): Check token expiration before id_token (#1684)

* fix(openIDConnect scheme): Check token expiration before id_token

During an Axios call, the token is not automatically refreshed because it relies on the tokenExpired return of the scheme check function, which first checks id_token which often expires at the same time, and therefore does not detect any problems.
By checking first the token expiration before the id_token, the problem is solved

Related issue : 
#1370

* Fix linting error

* Added comment explaining the order / reasoning

#1684 (comment)

* Adjusted comment to be clearer about the exact order

* One more comment edit

* Fixing linting error (again)

* Fix linting error Check failure on line 122 in src/schemes/openIDConnect.ts

Co-authored-by: Dylan Geenen <58949478+dygeenen@users.noreply.github.com>
Co-authored-by: Steven Hollingsworth <shollingsworth@barracuda.com>

Author: 3 people

src/schemes/openIDConnect.ts

@@ -113,18 +113,30 @@ export class OpenIDConnectScheme<
       return response
     }
 
-    // Id token has expired. Force reset.
-    if (idTokenStatus.expired()) {
-      response.idTokenExpired = true
-      return response
-    }
-
     // Token has expired, Force reset.
     if (tokenStatus.expired()) {
       response.tokenExpired = true
       return response
     }
 
+    /**
+    Id token has expired. Force reset.
+
+    idToken needs to be set after token because the access_token
+    is sent in the Authorization header when making an axios request. If
+    the access_token is expired, we need to refresh that token before
+    continuing.
+
+    Checking whether the id_token has expired doesn't guarantee a successful
+    call to the (a) back end and typically the id_token has a different
+    (shorter) expiry schedule to the access_token.
+    */
+
+    if (idTokenStatus.expired()) {
+      response.idTokenExpired = true
+      return response
+    }
+
     response.valid = true
     return response
   }