Expired ID tokens are not removed

[Pankrat]

Describe the bug

When running django-admin cleartokens, access tokens and refresh tokens are cleared as documented, but expired ID tokens stick around in the DB until they are removed manually.

To Reproduce

1. Set OIDC_ENABLED = True
2. Set REFRESH_TOKEN_EXPIRE_SECONDS to a low value
3. Set ACCESS_TOKEN_EXPIRE_SECONDS to a low value
4. Set ID_TOKEN_EXPIRE_SECONDS to a low value
5. Get a set of tokens
6. Wait until all of the tokens expired
7. Run django-admin cleartokens
8. The access and refresh token will be removed, the expired ID token is still in the DB

Expected behavior

I'd expect the ID token to be removed alongside the access token which holds the reference OR the ID token to be removed from the database when it expired.

Version

Tested with version 2.1.0.

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context

More generally, I wonder if revoking an access token should clear the ID token (if there is one), similar to how revoking a refresh token clears the associated access token?

I'd be willing to contribute a test and patch to the issue if a patch would be welcome for this issue (please let me know if that's the case).

Thanks for your consideration!

[n2ygk]

@Pankrat Thanks for noticing this. Since OIDC was a late addition to DOT, I suspect the requisite changes to cleartokens was missed -- it's got a very short commit history.

Regarding the automatic clearing of an ID_token when an access_token is revoked, that "feels" right. If the access_token was revoked I would think validate_jwt_bearer_token should fail to validate the ID token based on that access token.

Please do submit a PR! Or maybe two, in order to separate the two concerns.