Skip to content

Commit

Permalink
Generate access tokens for implicit & hybrid flows only when needed
Browse files Browse the repository at this point in the history
Avoid access token generation when response_type is either "id_token"
(for implicit flow) or "code id_token" (for hybrid flow).

Signed-off-by: Massimiliano Filacchioni <[email protected]>
  • Loading branch information
mfila committed Dec 2, 2024
1 parent 2476f0e commit 2304d78
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions server/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -717,8 +717,6 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
}
case responseTypeToken:
implicitOrHybrid = true
case responseTypeIDToken:
implicitOrHybrid = true
var err error

accessToken, _, err = s.newAccessToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, authReq.ConnectorID)
Expand All @@ -727,6 +725,9 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
return
}
case responseTypeIDToken:
implicitOrHybrid = true
var err error

idToken, idTokenExpiry, err = s.newIDToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, accessToken, code.ID, authReq.ConnectorID)
if err != nil {
Expand All @@ -739,12 +740,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe

if implicitOrHybrid {
v := url.Values{}
v.Set("access_token", accessToken)
v.Set("token_type", "bearer")
v.Set("state", authReq.State)
if idToken != "" {
v.Set("id_token", idToken)
// The hybrid flow with only "code token" or "code id_token" doesn't return an
if accessToken != "" {
v.Set("access_token", accessToken)
v.Set("token_type", "bearer")
// The hybrid flow with "code token" or "code id_token token" doesn't return an
// "expires_in" value. If "code" wasn't provided, indicating the implicit flow,
// don't add it.
//
Expand All @@ -753,6 +752,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
v.Set("expires_in", strconv.Itoa(int(idTokenExpiry.Sub(s.now()).Seconds())))
}
}
v.Set("state", authReq.State)
if idToken != "" {
v.Set("id_token", idToken)
}
if code.ID != "" {
v.Set("code", code.ID)
}
Expand Down

0 comments on commit 2304d78

Please sign in to comment.