Generate access tokens for implicit & hybrid flows only when needed (#3857)

Avoid access token generation when response_type is either "id_token" (for implicit flow) or "code id_token" (for hybrid flow). Signed-off-by: Massimiliano Filacchioni <m.filacchioni@gmail.com>
1 year ago · 6e0cbdf972
1 changed files with 11 additions and 8 deletions
--- a/server/handlers.go
+++ b/server/handlers.go
@ -720,8 +720,6 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 			}
 		case responseTypeToken:
 			implicitOrHybrid = true
-		case responseTypeIDToken:
-			implicitOrHybrid = true
 			var err error

 			accessToken, _, err = s.newAccessToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, authReq.ConnectorID)
@ -730,6 +728,9 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 				s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
 				return
 			}
+		case responseTypeIDToken:
+			implicitOrHybrid = true
+			var err error

 			idToken, idTokenExpiry, err = s.newIDToken(r.Context(), authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, accessToken, code.ID, authReq.ConnectorID)
 			if err != nil {
@ -742,12 +743,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe

 	if implicitOrHybrid {
 		v := url.Values{}
-		v.Set("access_token", accessToken)
-		v.Set("token_type", "bearer")
-		v.Set("state", authReq.State)
-		if idToken != "" {
-			v.Set("id_token", idToken)
-			// The hybrid flow with only "code token" or "code id_token" doesn't return an
+		if accessToken != "" {
+			v.Set("access_token", accessToken)
+			v.Set("token_type", "bearer")
+			// The hybrid flow with "code token" or "code id_token token" doesn't return an
 			// "expires_in" value. If "code" wasn't provided, indicating the implicit flow,
 			// don't add it.
 			//
@ -756,6 +755,10 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 				v.Set("expires_in", strconv.Itoa(int(idTokenExpiry.Sub(s.now()).Seconds())))
 			}
 		}
+		v.Set("state", authReq.State)
+		if idToken != "" {
+			v.Set("id_token", idToken)
+		}
 		if code.ID != "" {
 			v.Set("code", code.ID)
 		}