Token refreshing returns id_token which is not in the specs
Cediddi opened this issue · 2 comments
I guess this is related to #230 and IdentityModel/oidc-client-js#1058
Refreshing a token must return access_token, refresh_token, token_type and expires_in, and optionally id_token with iat of the new id_token and auth_time of original id_token. Instead it returns an id_token with different auth_time, causing a mismatch in auth_time values check.
This is because user.last_login is used as the auth_time, instead it should use the original id_token's auth_time.
This is actually a critical issue and I want to help if I can without breaking the original code flow.
I forked the fork of this library at https://github.com/SelfHacked/django-oidc-provider Then put a few commits on top.
I do not suggest using this library, last updated 5 years ago, nor the fork, last updated 3 years ago.
Go with this: https://github.com/jazzband/django-oauth-toolkit It's still actively maintained and developed.