fix(security): don't mint new ID tokens on refresh; confirm offline_access gating

idpyoidc already gates refresh-token issuance on the offline_access scope
(verified by test), but the refresh-token grant was configured to also mint
fresh ID tokens. Drop id_token from the refresh_token grant's supports_minting
so refreshing yields only access (and a rotated refresh) token; ID tokens come
from authentication. Refresh-token rotation is retained.

Refs: porchlight-553

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-10 09:25:49 +02:00
parent 519e3659a1
commit 27763d19ea
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
2 changed files with 72 additions and 3 deletions

View file

@ -67,7 +67,10 @@ def _build_server_config(settings: Settings) -> dict:
"expires_in": 3600,
},
"refresh_token": {
"supports_minting": ["access_token", "refresh_token", "id_token"],
# Rotate refresh tokens (mint a new one) and mint
# access tokens, but do NOT mint fresh ID tokens on
# refresh — re-authentication should issue ID tokens.
"supports_minting": ["access_token", "refresh_token"],
"expires_in": 86400,
},
},