fix(op): allow expired id token hints in authorize (#527)

Like #522 for end session, this change allows passing an expired ID token hint to the authorize endpoint.
zitadel · Feb 1, 2024 · 045b59e · 045b59e
1 parent 35d9540
commit 045b59e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go
@@ -391,9 +391,9 @@ func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifie
 		return "", nil
 	}
 	claims, err := VerifyIDTokenHint[*oidc.TokenClaims](ctx, idTokenHint, verifier)
-	if err != nil {
+	if err != nil && !errors.As(err, &IDTokenHintExpiredError{}) {
 		return "", oidc.ErrLoginRequired().WithDescription("The id_token_hint is invalid. " +
-			"If you have any questions, you may contact the administrator of the application.")
+			"If you have any questions, you may contact the administrator of the application.").WithParent(err)
 	}
 	return claims.GetSubject(), nil
 }