Token refreshing returns id_token which is not in the specs

[Cediddi]

I guess this is related to #230 and DuendeArchive/identity-model-oidc-client-js#1058

Refreshing a token must return access_token, refresh_token, token_type and expires_in, and optionally id_token with iat of the new id_token and auth_time of original id_token. Instead it returns an id_token with different auth_time, causing a mismatch in auth_time values check.

This is because user.last_login is used as the auth_time, instead it should use the original id_token's auth_time.

This is actually a critical issue and I want to help if I can without breaking the original code flow.

[ashok304u]

@Cediddi Any update on the issue facing similar issue

[Cediddi]

I forked the fork of this library at https://github.com/SelfHacked/django-oidc-provider Then put a few commits on top.

I do not suggest using this library, last updated 5 years ago, nor the fork, last updated 3 years ago.

Go with this: https://github.com/jazzband/django-oauth-toolkit It's still actively maintained and developed.