From 2304d78b5979d6f61f0f18cf3ab2dd0eee8c28ca Mon Sep 17 00:00:00 2001 From: Massimiliano Filacchioni Date: Thu, 21 Nov 2024 13:05:40 +0100 Subject: [PATCH] Generate access tokens for implicit & hybrid flows only when needed Avoid access token generation when response_type is either "id_token" (for implicit flow) or "code id_token" (for hybrid flow). Signed-off-by: Massimiliano Filacchioni --- server/handlers.go | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/server/handlers.go b/server/handlers.go index 5954820caa..5992a51808 100644 --- a/server/handlers.go +++ b/server/handlers.go @@ -717,8 +717,6 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe } case responseTypeToken: implicitOrHybrid = true - case responseTypeIDToken: - implicitOrHybrid = true var err error accessToken, _, err = s.newAccessToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, authReq.ConnectorID) @@ -727,6 +725,9 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError) return } + case responseTypeIDToken: + implicitOrHybrid = true + var err error idToken, idTokenExpiry, err = s.newIDToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, accessToken, code.ID, authReq.ConnectorID) if err != nil { @@ -739,12 +740,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe if implicitOrHybrid { v := url.Values{} - v.Set("access_token", accessToken) - v.Set("token_type", "bearer") - v.Set("state", authReq.State) - if idToken != "" { - v.Set("id_token", idToken) - // The hybrid flow with only "code token" or "code id_token" doesn't return an + if accessToken != "" { + v.Set("access_token", accessToken) + v.Set("token_type", "bearer") + // The hybrid flow with "code token" or "code id_token token" doesn't return an // "expires_in" value. If "code" wasn't provided, indicating the implicit flow, // don't add it. // @@ -753,6 +752,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe v.Set("expires_in", strconv.Itoa(int(idTokenExpiry.Sub(s.now()).Seconds()))) } } + v.Set("state", authReq.State) + if idToken != "" { + v.Set("id_token", idToken) + } if code.ID != "" { v.Set("code", code.ID) }