django-oidc-provider icon indicating copy to clipboard operation
django-oidc-provider copied to clipboard

Published 20 hours ago verified publisher icon juanifioren

Token refreshing returns id_token which is not in the specs

Open Cediddi opened this issue 5 years ago • 2 comments

I guess this is related to #230 and IdentityModel/oidc-client-js#1058

Refreshing a token must return access_token, refresh_token, token_type and expires_in, and optionally id_token with iat of the new id_token and auth_time of original id_token. Instead it returns an id_token with different auth_time, causing a mismatch in auth_time values check.

This is because user.last_login is used as the auth_time, instead it should use the original id_token's auth_time.

This is actually a critical issue and I want to help if I can without breaking the original code flow.

Cediddi avatar Oct 07 '20 10:10 Cediddi

@Cediddi Any update on the issue facing similar issue

ashok304u avatar Apr 17 '23 20:04 ashok304u

I forked the fork of this library at https://github.com/SelfHacked/django-oidc-provider Then put a few commits on top.

I do not suggest using this library, last updated 5 years ago, nor the fork, last updated 3 years ago.

Go with this: https://github.com/jazzband/django-oauth-toolkit It's still actively maintained and developed.

Cediddi avatar Apr 21 '23 08:04 Cediddi