auth_time doesn't update when token is refreshed

[SeanJCasey]

Not sure if I'm doing something wrong or this is by design, but I would have thought that auth_time should be automatically set to the current time when refresh_token() successfully generates a new access_token.

Otherwise, this if statement would always be executed after a certain amount of time until a user logs in again:

from social_django.utils import load_strategy
import time

social = user.social_auth.get(provider='google-oauth2')
if (social.extra_data['auth_time'] + social.extra_data['expires']) <= int(time.time()):
    strategy = load_strategy()
    social.refresh_token(strategy)

Running v1.0.1

[wormhoudt]

This is still an issue as of 1.1.0

For google-oauth2 this means that after 3600 seconds, the token gets refreshed for every single request. It's clear that the access_token is being updated in the database, but auth_time is not.

I added the following code as a temporary fix.

# Update the auth time, to compensate for auth_time not being updated by refresh_token
# Assumes server is UTC and creates a 5 minute buffer to account for skew
auth.extra_data['auth_time'] = int(time.time()) - 300
auth.save()

[omab]

Fixed by https://github.com/python-social-auth/social-core/commit/feeb27c5d2bdf94428d09f289342cd64a679df62.