Using verify_id_token is better then id_token.verify().

rohe · rohe · commit 91b7bd4ad026 · 2019-03-12T09:28:33.000+01:00
diff --git a/src/oidcmsg/oidc/session.py b/src/oidcmsg/oidc/session.py
@@ -9,7 +9,7 @@
 from ..message import SINGLE_REQUIRED_JSON
 from ..message import SINGLE_REQUIRED_STRING
 from ..oauth2 import ResponseMessage
-from ..oidc import clear_verified_claims
+from ..oidc import clear_verified_claims, verify_id_token
 from ..oidc import verified_claim_name
 from ..oidc import IdToken
 from ..oidc import ID_TOKEN_VERIFY_ARGS
@@ -62,9 +62,8 @@ def verify(self, **kwargs):
                 except KeyError:
                     pass
             idt = IdToken().from_jwt(str(self["id_token_hint"]), **args)
-            if not idt.verify(**kwargs):
+            if not verify_id_token(self, claim='id_token_hint', **kwargs):
                 return False
-
             # Add the verified ID Token to the message instance
             self[verified_claim_name("id_token_hint")] = idt
 
