search

juanifioren / django-oidc-provider

OpenID Connect and OAuth2 provider implementation for Djangonauts.
http://django-oidc-provider.readthedocs.org
MIT License
416 stars 239 forks source link

Token refreshing returns id_token which is not in the specs #378

Open Cediddi opened 3 years ago

Cediddi commented 3 years ago

I guess this is related to #230 and IdentityModel/oidc-client-js#1058

Refreshing a token must return access_token, refresh_token, token_type and expires_in, and optionally id_token with iat of the new id_token and auth_time of original id_token. Instead it returns an id_token with different auth_time, causing a mismatch in auth_time values check.

This is because user.last_login is used as the auth_time, instead it should use the original id_token's auth_time.

This is actually a critical issue and I want to help if I can without breaking the original code flow.

ashok304u commented 1 year ago

@Cediddi Any update on the issue facing similar issue

Cediddi commented 1 year ago

I forked the fork of this library at https://github.com/SelfHacked/django-oidc-provider Then put a few commits on top.

I do not suggest using this library, last updated 5 years ago, nor the fork, last updated 3 years ago.

Go with this: https://github.com/jazzband/django-oauth-toolkit It's still actively maintained and developed.