diff --git a/go.mod b/go.mod
index 367c6d4fe..b67da0887 100644
--- a/go.mod
+++ b/go.mod
@@ -54,7 +54,7 @@ require (
 	github.com/kovidgoyal/imaging v1.6.3
 	github.com/leonelquinteros/gotext v1.7.0
 	github.com/libregraph/idm v0.5.0
-	github.com/libregraph/lico v0.64.0
+	github.com/libregraph/lico v0.65.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mna/pigeon v1.3.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
diff --git a/go.sum b/go.sum
index b3de4f246..7d7e157f5 100644
--- a/go.sum
+++ b/go.sum
@@ -255,8 +255,6 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
 github.com/cs3org/go-cs3apis v0.0.0-20241105092511-3ad35d174fc1 h1:RU6LT6mkD16xZs011+8foU7T3LrPvTTSWeTQ9OgfhkA=
 github.com/cs3org/go-cs3apis v0.0.0-20241105092511-3ad35d174fc1/go.mod h1:DedpcqXl193qF/08Y04IO0PpxyyMu8+GrkD6kWK2MEQ=
-github.com/cs3org/reva/v2 v2.26.7 h1:E5b1+H5ZsnmDgWWS/u3t4PtdmiMaY1bEEYVI/vE9xo8=
-github.com/cs3org/reva/v2 v2.26.7/go.mod h1:xC5N2XOrCRim/W55uyMsew8RwwFZbQ4hIaKshIbyToo=
 github.com/cs3org/reva/v2 v2.26.8-0.20241203081301-17f339546533 h1:QshDjljk44ASolJwlHxE9e7u+Slgdi/VfPKYvbfFu2g=
 github.com/cs3org/reva/v2 v2.26.8-0.20241203081301-17f339546533/go.mod h1:fJWmn7EkttWOWphZfiKdFOcHuthcUsU55aSN1VeTOhU=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
@@ -738,8 +736,8 @@ github.com/leonelquinteros/gotext v1.7.0 h1:jcJmF4AXqyamP7vuw2MMIKs+O3jAEmvrc5JQ
 github.com/leonelquinteros/gotext v1.7.0/go.mod h1:qJdoQuERPpccw7L70uoU+K/BvTfRBHYsisCQyFLXyvw=
 github.com/libregraph/idm v0.5.0 h1:tDMwKbAOZzdeDYMxVlY5PbSqRKO7dbAW9KT42A51WSk=
 github.com/libregraph/idm v0.5.0/go.mod h1:BGMwIQ/6orJSPVzJ1x6kgG2JyG9GY05YFmbsnaD80k0=
-github.com/libregraph/lico v0.64.0 h1:fbMV2ALjrOysGL0m58bhRrF+9e/HCL5RkoSwMN+xoWQ=
-github.com/libregraph/lico v0.64.0/go.mod h1:J2ZNe1DcO+K/5ptOOrQk2A2mn6OwXRdGUI4ASgw2WGg=
+github.com/libregraph/lico v0.65.0 h1:h8GYJhTOBuNvxQzdViHdWkNSUp+YbPB1H18Bfn/zdlY=
+github.com/libregraph/lico v0.65.0/go.mod h1:6w+kgoTYiXpJ7VriAaKJfeyF0eV/Stapd9pnK64du84=
 github.com/libregraph/oidc-go v1.1.0 h1:RyudjL3UyQblqeBQI06W53PniWobqODeeyAy6v/HumA=
 github.com/libregraph/oidc-go v1.1.0/go.mod h1:qW9ubcXvZrfbbWZBaLMuk7bt5qAUMYyt9/NtXQt07Cw=
 github.com/linode/linodego v0.25.3/go.mod h1:GSBKPpjoQfxEfryoCRcgkuUOCuVtGHWhzI8OMdycNTE=
diff --git a/vendor/github.com/libregraph/lico/CHANGELOG.md b/vendor/github.com/libregraph/lico/CHANGELOG.md
index 4e998708a..68cd669c9 100644
--- a/vendor/github.com/libregraph/lico/CHANGELOG.md
+++ b/vendor/github.com/libregraph/lico/CHANGELOG.md
@@ -4,7 +4,21 @@
 
 
 
-## v0.64.0 (2024-09-18)
+## v0.65.0 (2024-11-26)
+
+- Add login hint support
+- Add legacy support via plugin
+- Allow client redirect URI with only a scheme
+- Bump braces from 3.0.2 to 3.0.3 in /identifier
+- Bump path-to-regexp from 1.8.0 to 1.9.0 in /identifier
+- Bump ws from 8.14.2 to 8.17.1 in /identifier
+- Bump rollup from 2.79.1 to 2.79.2 in /identifier
+- Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1
+- Keep extra backend provided id and access token claims on refresh
+- Return id token when grant type is refresh token
+
+
+## v0.64.0 (2024-09-19)
 
 - Implement refresh and revoke for lg identifier backend session
 - Pass real src ip and user agent to lg identifier backend
diff --git a/vendor/github.com/libregraph/lico/identifier/api.go b/vendor/github.com/libregraph/lico/identifier/api.go
index 1be19fc67..ea553dedf 100644
--- a/vendor/github.com/libregraph/lico/identifier/api.go
+++ b/vendor/github.com/libregraph/lico/identifier/api.go
@@ -35,10 +35,10 @@ func (i *Identifier) writeWebappIndexHTML(rw http.ResponseWriter, req *http.Requ
 	// FIXME(longsleep): Set a secure CSP. Right now we need `data:` for images
 	// since it is used. Since `data:` URLs possibly could allow xss, a better
 	// way should be found for our early loading inline SVG stuff.
-	rw.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src 'self'; img-src 'self' data:; font-src 'self' data:; script-src 'self'; style-src 'self' 'nonce-%s'; base-uri 'none'; frame-ancestors 'none';", nonce))
+	rw.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src 'self'; img-src 'self' data:; font-src 'self' data:; script-src 'self' 'nonce-%s'; style-src 'self' 'nonce-%s'; base-uri 'none'; frame-ancestors 'none';", nonce, nonce))
 
 	// Write index with random nonce to response.
-	index := bytes.Replace(i.webappIndexHTML, []byte("__CSP_NONCE__"), []byte(nonce), 1)
+	index := bytes.ReplaceAll(i.webappIndexHTML, []byte("__CSP_NONCE__"), []byte(nonce))
 	rw.Write(index)
 }
 
diff --git a/vendor/github.com/libregraph/lico/identifier/package.json b/vendor/github.com/libregraph/lico/identifier/package.json
index 8f72418e3..7400e18a6 100644
--- a/vendor/github.com/libregraph/lico/identifier/package.json
+++ b/vendor/github.com/libregraph/lico/identifier/package.json
@@ -25,6 +25,7 @@
     "redux-logger": "^3.0.6",
     "redux-thunk": "^2.4.2",
     "render-if": "^0.1.1",
+    "validator": "^13.12.0",
     "web-vitals": "^1.1.2"
   },
   "scripts": {
@@ -47,9 +48,11 @@
     "@types/react-dom": "^17.0.23",
     "@types/react-redux": "^7.1.25",
     "@types/redux-logger": "^3.0.12",
+    "@types/validator": "^13",
     "@typescript-eslint/eslint-plugin": "^6.11.0",
     "@typescript-eslint/parser": "^6.9.0",
     "@typescript-eslint/typescript-estree": "^6.11.0",
+    "@vitejs/plugin-legacy": "^4.0.0",
     "@vitejs/plugin-react": "^4.1.1",
     "cldr": "^7.4.0",
     "eslint": "^8.53.0",
@@ -60,6 +63,7 @@
     "if-node-version": "^1.1.1",
     "jsdom": "^22.1.0",
     "source-map-explorer": "^2.5.3",
+    "terser": "^5.30.4",
     "typescript": "^5.2.2",
     "vite": "^4.5.2",
     "vite-plugin-checker": "^0.6.2",
diff --git a/vendor/github.com/libregraph/lico/identifier/vite.config.js b/vendor/github.com/libregraph/lico/identifier/vite.config.js
index d89a6a218..8af1d0b71 100644
--- a/vendor/github.com/libregraph/lico/identifier/vite.config.js
+++ b/vendor/github.com/libregraph/lico/identifier/vite.config.js
@@ -1,6 +1,31 @@
-import { defineConfig, splitVendorChunkPlugin } from 'vite';
-import react from '@vitejs/plugin-react';
-import checker from 'vite-plugin-checker';
+import { defineConfig, splitVendorChunkPlugin } from "vite";
+import react from "@vitejs/plugin-react";
+import checker from "vite-plugin-checker";
+import legacy from "@vitejs/plugin-legacy";
+
+
+const addScriptCSPNoncePlaceholderPlugin = () => {
+  return {
+    name: "add-script-nonce-placeholderP-plugin",
+    apply: "build",
+    transformIndexHtml: {
+      order: "post",
+      handler(htmlData) {
+
+        return htmlData.replaceAll(
+          /<script nomodule>/gi,
+          `<script nomodule nonce="__CSP_NONCE__">`
+        ).replaceAll(
+          /<script type="module">/gi,
+          `<script type="module" nonce="__CSP_NONCE__">`
+        ).replaceAll(
+          /<script nomodule crossorigin id="vite-legacy-entry"/gi,
+          `<script nomodule crossorigin id="vite-legacy-entry" nonce="__CSP_NONCE__"`
+        );
+      },
+    },
+  };
+};
 
 export default defineConfig((env) => {
   return {
@@ -23,13 +48,18 @@ export default defineConfig((env) => {
     },
     plugins: [
       react(),
-      env.mode !== 'test' && checker({
-        typescript: true,
-        eslint: {
-          lintCommand: 'eslint --max-warnings=0 src',
-        },
+      legacy({
+        targets: ['edge 18'],
       }),
+      env.mode !== "test" &&
+        checker({
+          typescript: true,
+          eslint: {
+            lintCommand: 'eslint --max-warnings=0 src',
+          },
+        }),
       splitVendorChunkPlugin(),
+      addScriptCSPNoncePlaceholderPlugin(),
     ],
     test: {
       globals: true,
diff --git a/vendor/github.com/libregraph/lico/oidc/payload/authentication.go b/vendor/github.com/libregraph/lico/oidc/payload/authentication.go
index 2080b5fe8..0aef0f94c 100644
--- a/vendor/github.com/libregraph/lico/oidc/payload/authentication.go
+++ b/vendor/github.com/libregraph/lico/oidc/payload/authentication.go
@@ -332,7 +332,7 @@ func (ar *AuthenticationRequest) Validate(keyFunc jwt.Keyfunc) error {
 	}
 	// TODO(longsleep): implement client_id white list.
 
-	if ar.RedirectURI == nil || ar.RedirectURI.Host == "" || ar.RedirectURI.Scheme == "" {
+	if ar.RedirectURI == nil || !ar.RedirectURI.IsAbs() {
 		return ar.NewBadRequest(oidc.ErrorCodeOAuth2InvalidRequest, "invalid or missing redirect_uri")
 	}
 
diff --git a/vendor/github.com/libregraph/lico/oidc/provider/handlers.go b/vendor/github.com/libregraph/lico/oidc/provider/handlers.go
index 78e046b3f..250f31cad 100644
--- a/vendor/github.com/libregraph/lico/oidc/provider/handlers.go
+++ b/vendor/github.com/libregraph/lico/oidc/provider/handlers.go
@@ -239,7 +239,7 @@ func (p *Provider) AuthorizeResponse(rw http.ResponseWriter, req *http.Request,
 
 	// Create access token when requested.
 	if _, ok := ar.ResponseTypes[oidc.ResponseTypeToken]; ok {
-		accessTokenString, err = p.makeAccessToken(ctx, ar.ClientID, auth, nil)
+		accessTokenString, err = p.makeAccessToken(ctx, ar.ClientID, auth, nil, nil)
 		if err != nil {
 			goto done
 		}
@@ -248,7 +248,7 @@ func (p *Provider) AuthorizeResponse(rw http.ResponseWriter, req *http.Request,
 	// Create ID token when requested and granted.
 	if authorizedScopes[oidc.ScopeOpenID] {
 		if _, ok := ar.ResponseTypes[oidc.ResponseTypeIDToken]; ok {
-			idTokenString, err = p.makeIDToken(ctx, ar, auth, session, accessTokenString, codeString, nil)
+			idTokenString, err = p.makeIDToken(ctx, ar, auth, session, accessTokenString, codeString, nil, nil)
 			if err != nil {
 				goto done
 			}
@@ -330,6 +330,7 @@ func (p *Provider) TokenHandler(rw http.ResponseWriter, req *http.Request) {
 	var accessTokenString string
 	var idTokenString string
 	var refreshTokenString string
+	var refreshTokenClaims *konnect.RefreshTokenClaims
 	var approvedScopes map[string]bool
 	var authorizedScopes map[string]bool
 	var clientDetails *clients.Details
@@ -498,22 +499,25 @@ func (p *Provider) TokenHandler(rw http.ResponseWriter, req *http.Request) {
 			ClientID: claims.Audience,
 		}
 
+		// Remember refresh token claims, for use in access and id token generators later on.
+		refreshTokenClaims = claims
+
 	default:
 		err = konnectoidc.NewOAuth2Error(oidc.ErrorCodeOAuth2UnsupportedGrantType, "grant_type value not implemented")
 		goto done
 	}
 
 	// Create access token.
-	accessTokenString, err = p.makeAccessToken(ctx, ar.ClientID, auth, signinMethod)
+	accessTokenString, err = p.makeAccessToken(ctx, ar.ClientID, auth, signinMethod, refreshTokenClaims)
 	if err != nil {
 		goto done
 	}
 
 	switch tr.GrantType {
-	case oidc.GrantTypeAuthorizationCode:
+	case oidc.GrantTypeAuthorizationCode, oidc.GrantTypeRefreshToken:
 		// Create ID token when not previously requested amd openid scope is authorized.
 		if !ar.ResponseTypes[oidc.ResponseTypeIDToken] && authorizedScopes[oidc.ScopeOpenID] {
-			idTokenString, err = p.makeIDToken(ctx, ar, auth, session, accessTokenString, "", signinMethod)
+			idTokenString, err = p.makeIDToken(ctx, ar, auth, session, accessTokenString, "", signinMethod, refreshTokenClaims)
 			if err != nil {
 				goto done
 			}
diff --git a/vendor/github.com/libregraph/lico/oidc/provider/tokens.go b/vendor/github.com/libregraph/lico/oidc/provider/tokens.go
index d2246ea23..ba5d6d5ea 100644
--- a/vendor/github.com/libregraph/lico/oidc/provider/tokens.go
+++ b/vendor/github.com/libregraph/lico/oidc/provider/tokens.go
@@ -35,10 +35,10 @@ import (
 
 // MakeAccessToken implements the oidc.AccessTokenProvider interface.
 func (p *Provider) MakeAccessToken(ctx context.Context, audience string, auth identity.AuthRecord) (string, error) {
-	return p.makeAccessToken(ctx, audience, auth, nil)
+	return p.makeAccessToken(ctx, audience, auth, nil, nil)
 }
 
-func (p *Provider) makeAccessToken(ctx context.Context, audience string, auth identity.AuthRecord, signingMethod jwt.SigningMethod) (string, error) {
+func (p *Provider) makeAccessToken(ctx context.Context, audience string, auth identity.AuthRecord, signingMethod jwt.SigningMethod, refreshTokenClaims *konnect.RefreshTokenClaims) (string, error) {
 	sk, ok := p.getSigningKey(signingMethod)
 	if !ok {
 		return "", fmt.Errorf("no signing key")
@@ -67,6 +67,17 @@ func (p *Provider) makeAccessToken(ctx context.Context, audience string, auth id
 			accessTokenClaims.IdentityClaims = userWithClaims.Claims()
 		}
 		accessTokenClaims.IdentityProvider = auth.Manager().Name()
+		if accessTokenClaims.IdentityClaims != nil && refreshTokenClaims != nil && refreshTokenClaims.IdentityClaims != nil {
+			if refreshTokenClaims.IdentityProvider != accessTokenClaims.IdentityProvider {
+				return "", fmt.Errorf("refresh token claims provider mismatch")
+			}
+			for k, v := range refreshTokenClaims.IdentityClaims {
+				// Force to use refresh token identity claim values. This also locks all
+				// the extra claims for id and access tokens to the ones provided from
+				// the refresh token claims (which currently includes the session id).
+				accessTokenClaims.IdentityClaims[k] = v
+			}
+		}
 	}
 
 	// Support additional custom user specific claims.
@@ -113,7 +124,7 @@ func (p *Provider) makeAccessToken(ctx context.Context, audience string, auth id
 	return accessToken.SignedString(sk.PrivateKey)
 }
 
-func (p *Provider) makeIDToken(ctx context.Context, ar *payload.AuthenticationRequest, auth identity.AuthRecord, session *payload.Session, accessTokenString string, codeString string, signingMethod jwt.SigningMethod) (string, error) {
+func (p *Provider) makeIDToken(ctx context.Context, ar *payload.AuthenticationRequest, auth identity.AuthRecord, session *payload.Session, accessTokenString string, codeString string, signingMethod jwt.SigningMethod, refreshTokenClaims *konnect.RefreshTokenClaims) (string, error) {
 	sk, ok := p.getSigningKey(signingMethod)
 	if !ok {
 		return "", fmt.Errorf("no signing key")
@@ -160,6 +171,18 @@ func (p *Provider) makeIDToken(ctx context.Context, ar *payload.AuthenticationRe
 	if userWithClaims, ok := user.(identity.UserWithClaims); ok {
 		accessTokenClaims.IdentityClaims = userWithClaims.Claims()
 	}
+	accessTokenClaims.IdentityProvider = auth.Manager().Name()
+	if accessTokenClaims.IdentityClaims != nil && refreshTokenClaims != nil && refreshTokenClaims.IdentityClaims != nil {
+		if refreshTokenClaims.IdentityProvider != accessTokenClaims.IdentityProvider {
+			return "", fmt.Errorf("refresh token claims provider mismatch")
+		}
+		for k, v := range refreshTokenClaims.IdentityClaims {
+			// Force to use refresh token identity claim values. This also locks all
+			// the extra claims for id and access tokens to the ones provided from
+			// the refresh token claims (which currently includes the session id).
+			accessTokenClaims.IdentityClaims[k] = v
+		}
+	}
 
 	if withIDTokenClaimsRequest {
 		// Apply additional information from ID token claims request.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 0349036a4..163960203 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1264,7 +1264,7 @@ github.com/libregraph/idm/server
 github.com/libregraph/idm/server/handler
 github.com/libregraph/idm/server/handler/boltdb
 github.com/libregraph/idm/server/handler/ldif
-# github.com/libregraph/lico v0.64.0
+# github.com/libregraph/lico v0.65.0
 ## explicit; go 1.18
 github.com/libregraph/lico
 github.com/libregraph/lico/bootstrap