From 29edbb035724147eb483e858d876de0174515f33 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 26 Dec 2020 19:05:02 +0100
Subject: [PATCH] providers/oauth2: use auth_time from LOGIN event

---
 authentik/providers/oauth2/models.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py
index e2627aef9..10cdafaf9 100644
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@@ -484,10 +484,9 @@ class RefreshToken(ExpiringModel, BaseGrantModel):
         exp_time = int(
             now + timedelta_from_string(self.provider.token_validity).seconds
         )
-        # Because this function is called after the AUTHORIZE_APPLICATION Event has been created,
-        # we use the timestamp of that.
+        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
         auth_event = Event.objects.filter(
-            action=EventAction.AUTHORIZE_APPLICATION, user=get_user(user)
+            action=EventAction.LOGIN, user=get_user(user)
         ).latest("created")
         auth_time = int(dateformat.format(auth_event.created, "U"))