fix(security): don't mint new ID tokens on refresh; confirm offline_access gating
idpyoidc already gates refresh-token issuance on the offline_access scope (verified by test), but the refresh-token grant was configured to also mint fresh ID tokens. Drop id_token from the refresh_token grant's supports_minting so refreshing yields only access (and a rotated refresh) token; ID tokens come from authentication. Refresh-token rotation is retained. Refs: porchlight-553 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
519e3659a1
commit
27763d19ea
2 changed files with 72 additions and 3 deletions
|
|
@ -67,7 +67,10 @@ def _build_server_config(settings: Settings) -> dict:
|
|||
"expires_in": 3600,
|
||||
},
|
||||
"refresh_token": {
|
||||
"supports_minting": ["access_token", "refresh_token", "id_token"],
|
||||
# Rotate refresh tokens (mint a new one) and mint
|
||||
# access tokens, but do NOT mint fresh ID tokens on
|
||||
# refresh — re-authentication should issue ID tokens.
|
||||
"supports_minting": ["access_token", "refresh_token"],
|
||||
"expires_in": 86400,
|
||||
},
|
||||
},
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue