providers/oauth2: fix old id_token being sent when using token endpoint with grant_type=refresh_token

authentik/providers/oauth2/views/provider.py

@@ -7,7 +7,12 @@ from django.views import View
 from structlog import get_logger
 
 from authentik.core.models import Application
-from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT, SCOPE_OPENID
+from authentik.providers.oauth2.constants import (
+    ACR_AUTHENTIK_DEFAULT,
+    GRANT_TYPE_AUTHORIZATION_CODE,
+    GRANT_TYPE_REFRESH_TOKEN,
+    SCOPE_OPENID,
+)
 from authentik.providers.oauth2.models import GrantTypes, OAuth2Provider, ScopeMapping
 
 LOGGER = get_logger()
@@ -56,9 +61,9 @@ class ProviderInfoView(View):
                 )
             ),
             "grant_types_supported": [
-                GrantTypes.AUTHORIZATION_CODE,
+                GRANT_TYPE_AUTHORIZATION_CODE,
+                GRANT_TYPE_REFRESH_TOKEN,
                 GrantTypes.IMPLICIT,
-                GrantTypes.HYBRID,
             ],
             "id_token_signing_alg_values_supported": [provider.jwt_alg],
             # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

authentik/providers/oauth2/views/token.py

@@ -248,9 +248,7 @@ class TokenView(View):
             "expires_in": timedelta_from_string(
                 refresh_token.provider.token_validity
             ).seconds,
-            "id_token": self.params.provider.encode(
-                self.params.refresh_token.id_token.to_dict()
-            ),
+            "id_token": self.params.provider.encode(refresh_token.id_token.to_dict()),
         }
 
         return dic