Remove support for the token response type

2025-11-20 12:02:22 +03:00 · 2022-09-02 12:00:14 +02:00
parent 7b281f4c21
commit 495285162b
8 changed files with 499 additions and 501 deletions
--- a/crates/handlers/src/oauth2/authorization/mod.rs
+++ b/crates/handlers/src/oauth2/authorization/mod.rs
@@ -215,6 +215,28 @@ pub(crate) async fn get(
                    .await?);
            }

+            // Check if the client asked for a `token` response type, and bail out if it's
+            // the case, since we don't support them
+            if response_type.has_token() {
+                return Ok(callback_destination
+                    .go(
+                        &templates,
+                        ClientError::from(ClientErrorCode::UnsupportedResponseType),
+                    )
+                    .await?);
+            }
+
+            // If the client asked for a `id_token` response type, we must check if it can
+            // use the `implicit` grant type
+            if response_type.has_id_token() && !client.grant_types.contains(&GrantType::Implicit) {
+                return Ok(callback_destination
+                    .go(
+                        &templates,
+                        ClientError::from(ClientErrorCode::UnauthorizedClient),
+                    )
+                    .await?);
+            }
+
            if params.auth.registration.is_some() {
                return Ok(callback_destination
                    .go(
@@ -224,16 +246,6 @@ pub(crate) async fn get(
                    .await?);
            }

-            // Check if it is allowed to use this grant type
-            if !client.grant_types.contains(&GrantType::AuthorizationCode) {
-                return Ok(callback_destination
-                    .go(
-                        &templates,
-                        ClientError::from(ClientErrorCode::UnauthorizedClient),
-                    )
-                    .await?);
-            }
-
            // Fail early if prompt=none and there is no active session
            if prompt.contains(&Prompt::None) && maybe_session.is_none() {
                return Ok(callback_destination
@@ -245,6 +257,16 @@ pub(crate) async fn get(
            }

            let code: Option<AuthorizationCode> = if response_type.has_code() {
+                // Check if it is allowed to use this grant type
+                if !client.grant_types.contains(&GrantType::AuthorizationCode) {
+                    return Ok(callback_destination
+                        .go(
+                            &templates,
+                            ClientError::from(ClientErrorCode::UnauthorizedClient),
+                        )
+                        .await?);
+                }
+
                // 32 random alphanumeric characters, about 190bit of entropy
                let code: String = thread_rng()
                    .sample_iter(&Alphanumeric)
@@ -286,7 +308,6 @@ pub(crate) async fn get(
                params.auth.max_age,
                None,
                response_mode,
-                response_type.has_token(),
                response_type.has_id_token(),
                requires_consent,
            )