providers/oauth2: use # as separate for code#adfs, check if # exists in response_type and trim
This commit is contained in:
parent
c1ea605c7e
commit
a02fcb0a7a
|
@ -71,7 +71,7 @@ class ResponseTypes(models.TextChoices):
|
|||
|
||||
CODE = "code", _("code (Authorization Code Flow)")
|
||||
CODE_ADFS = (
|
||||
"code_adfs",
|
||||
"code#adfs",
|
||||
_("code (ADFS Compatibility Mode, sends id_token as access_token)"),
|
||||
)
|
||||
ID_TOKEN = "id_token", _("id_token (Implicit Flow)")
|
||||
|
|
|
@ -163,8 +163,15 @@ class OAuthAuthorizationParams:
|
|||
raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)
|
||||
|
||||
# Response type parameter validation.
|
||||
if is_open_id and self.response_type != self.provider.response_type:
|
||||
raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)
|
||||
if is_open_id:
|
||||
actual_response_type = self.provider.response_type
|
||||
if "#" in self.provider.response_type:
|
||||
hash_index = actual_response_type.index("#")
|
||||
actual_response_type = actual_response_type[:hash_index]
|
||||
if self.response_type != actual_response_type:
|
||||
raise AuthorizeError(
|
||||
self.redirect_uri, "invalid_request", self.grant_type
|
||||
)
|
||||
|
||||
# PKCE validation of the transformation method.
|
||||
if self.code_challenge:
|
||||
|
|
|
@ -6633,7 +6633,7 @@ definitions:
|
|||
type: string
|
||||
enum:
|
||||
- code
|
||||
- code_adfs
|
||||
- code#adfs
|
||||
- id_token
|
||||
- id_token token
|
||||
- code token
|
||||
|
|
Reference in a new issue