providers/oauth2: use # as separate for code#adfs, check if # exists in response_type and trim

This commit is contained in:
Jens Langhammer 2020-09-19 18:33:22 +02:00
parent c1ea605c7e
commit a02fcb0a7a
3 changed files with 11 additions and 4 deletions

View file

@ -71,7 +71,7 @@ class ResponseTypes(models.TextChoices):
CODE = "code", _("code (Authorization Code Flow)")
CODE_ADFS = (
"code_adfs",
"code#adfs",
_("code (ADFS Compatibility Mode, sends id_token as access_token)"),
)
ID_TOKEN = "id_token", _("id_token (Implicit Flow)")

View file

@ -163,8 +163,15 @@ class OAuthAuthorizationParams:
raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)
# Response type parameter validation.
if is_open_id and self.response_type != self.provider.response_type:
raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)
if is_open_id:
actual_response_type = self.provider.response_type
if "#" in self.provider.response_type:
hash_index = actual_response_type.index("#")
actual_response_type = actual_response_type[:hash_index]
if self.response_type != actual_response_type:
raise AuthorizeError(
self.redirect_uri, "invalid_request", self.grant_type
)
# PKCE validation of the transformation method.
if self.code_challenge:

View file

@ -6633,7 +6633,7 @@ definitions:
type: string
enum:
- code
- code_adfs
- code#adfs
- id_token
- id_token token
- code token