Generate access tokens for implicit & hybrid flows only when needed

Avoid access token generation when response_type is either "id_token" (for implicit flow) or "code id_token" (for hybrid flow). Signed-off-by: Massimiliano Filacchioni <[email protected]>
dexidp · Nov 21, 2024 · 1b80f18 · 1b80f18
1 parent fa0240d
commit 1b80f18
Showing 1 changed file with 11 additions and 8 deletions.
diff --git a/server/handlers.go b/server/handlers.go
@@ -724,8 +724,6 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 			}
 		case responseTypeToken:
 			implicitOrHybrid = true
-		case responseTypeIDToken:
-			implicitOrHybrid = true
 			var err error
 
 			accessToken, _, err = s.newAccessToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, authReq.ConnectorID)
@@ -734,6 +732,9 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 				s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
 				return
 			}
+		case responseTypeIDToken:
+			implicitOrHybrid = true
+			var err error
 
 			idToken, idTokenExpiry, err = s.newIDToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, accessToken, code.ID, authReq.ConnectorID)
 			if err != nil {
@@ -746,12 +747,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 
 	if implicitOrHybrid {
 		v := url.Values{}
-		v.Set("access_token", accessToken)
-		v.Set("token_type", "bearer")
-		v.Set("state", authReq.State)
-		if idToken != "" {
-			v.Set("id_token", idToken)
-			// The hybrid flow with only "code token" or "code id_token" doesn't return an
+		if accessToken != "" {
+			v.Set("access_token", accessToken)
+			v.Set("token_type", "bearer")
+			// The hybrid flow with "code token" or "code id_token token" doesn't return an
 			// "expires_in" value. If "code" wasn't provided, indicating the implicit flow,
 			// don't add it.
 			//
@@ -760,6 +759,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 				v.Set("expires_in", strconv.Itoa(int(idTokenExpiry.Sub(s.now()).Seconds())))
 			}
 		}
+		v.Set("state", authReq.State)
+		if idToken != "" {
+			v.Set("id_token", idToken)
+		}
 		if code.ID != "" {
 			v.Set("code", code.ID)
 		}