Why id_token_jwt is stored in session when id_token is already there?
Closed this issue · 1 comments
Flask-pyoidc/src/flask_pyoidc/pyoidc_facade.py
Lines 198 to 207 in 5e66a38
This line is adding id_token_jwt
which is inserted into the session:
Flask-pyoidc/src/flask_pyoidc/flask_pyoidc.py
Lines 176 to 181 in 5e66a38
When id_token
is parsed from id_token_jwt
, why do we need both of them in session? The problem it is causing now is when I delegate token exchange to oic.oic.Client.do_access_token_request
, it only returns parsed id_token
so I no longer have id_token_jwt
.
The signed and serialised ID token needs to be stored in the session to be usable as id_token_hint
in applicable requests (e.g. logout request: #32).
It's used here.
I've not dug into detail so not sure how/if it can be extracted from Client.do_access_token_request
, but that is something that is needed.