Token refreshing returns id_token which is not in the specs #378
Comments
|
@Cediddi Any update on the issue facing similar issue |
|
I forked the fork of this library at https://github.com/SelfHacked/django-oidc-provider Then put a few commits on top. I do not suggest using this library, last updated 5 years ago, nor the fork, last updated 3 years ago. Go with this: https://github.com/jazzband/django-oauth-toolkit It's still actively maintained and developed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I guess this is related to #230 and IdentityModel/oidc-client-js#1058
Refreshing a token must return access_token, refresh_token, token_type and expires_in, and optionally id_token with iat of the new id_token and auth_time of original id_token. Instead it returns an id_token with different auth_time, causing a mismatch in auth_time values check.
This is because user.last_login is used as the auth_time, instead it should use the original id_token's auth_time.
This is actually a critical issue and I want to help if I can without breaking the original code flow.
The text was updated successfully, but these errors were encountered: