From 5df7db510524a156a0a1f0d659a06a02dd5d3644 Mon Sep 17 00:00:00 2001
From: Jasper Weyne <jasperweyne@gmail.com>
Date: Tue, 7 Jul 2020 02:51:33 +0200
Subject: [PATCH] Ignore ID token expiry if unavailable

---
 app/Auth/Access/OpenIdService.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/Auth/Access/OpenIdService.php b/app/Auth/Access/OpenIdService.php
index 377925d61..7b651c3de 100644
--- a/app/Auth/Access/OpenIdService.php
+++ b/app/Auth/Access/OpenIdService.php
@@ -8,6 +8,7 @@ use Exception;
 use Lcobucci\JWT\Token;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use OpenIDConnectClient\AccessToken;
+use OpenIDConnectClient\Exception\InvalidTokenException;
 use OpenIDConnectClient\OpenIDConnectProvider;
 
 /**
@@ -64,8 +65,9 @@ class OpenIdService extends ExternalAuthService
         $json = session()->get('openid_token');
         $accessToken = new AccessToken(json_decode($json, true));
 
-        // Check whether the access token or ID token is expired
-        if (!$accessToken->getIdToken()->isExpired() && !$accessToken->hasExpired()) {
+        // Check if both the access token and the ID token (if present) are unexpired
+        $idToken = $accessToken->getIdToken();
+        if (!$accessToken->hasExpired() && (!$idToken || !$idToken->isExpired())) {
             return true;
         }
 
@@ -86,6 +88,9 @@ class OpenIdService extends ExternalAuthService
             // Refreshing failed, logout
             $this->actionLogout();
             return false;
+        } catch (InvalidTokenException $e) {
+            // A refresh token doesn't necessarily contain
+            // an ID token, ignore this exception
         }
 
         // A valid token was obtained, we update the access token