providers/oauth2: bug fixes from conformance testing (#15056)

* check authorize request param earlier Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix basic suite? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * another actual fix; don't return access_token when using response_type id_token Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only run basic+implicit for now, fix other tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # tests/openid_conformance/test_conformance.py --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-06-16 12:23:18 +02:00
parent bce70a1796
commit 59a804273e
2 changed files with 3 additions and 6 deletions
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -387,8 +387,7 @@ class TestAuthorize(OAuthTestCase):
            self.assertEqual(
                response.url,
                (
-                    f"http://localhost#access_token={token.token}"
-                    f"&id_token={provider.encode(token.id_token.to_dict())}"
+                    f"http://localhost#id_token={provider.encode(token.id_token.to_dict())}"
                    f"&token_type={TOKEN_TYPE}"
                    f"&expires_in={int(expires)}&state={state}"
                ),
@ -563,7 +562,6 @@ class TestAuthorize(OAuthTestCase):
                "url": "http://localhost",
                "title": f"Redirecting to {app.name}...",
                "attrs": {
-                    "access_token": token.token,
                    "id_token": provider.encode(token.id_token.to_dict()),
                    "token_type": TOKEN_TYPE,
                    "expires_in": "3600",
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -150,12 +150,12 @@ class OAuthAuthorizationParams:
        self.check_redirect_uri()
        self.check_grant()
        self.check_scope(github_compat)
-        self.check_nonce()
-        self.check_code_challenge()
        if self.request:
            raise AuthorizeError(
                self.redirect_uri, "request_not_supported", self.grant_type, self.state
            )
+        self.check_nonce()
+        self.check_code_challenge()

    def check_grant(self):
        """Check grant"""
@ -630,7 +630,6 @@ class OAuthFulfillmentStage(StageView):
        if self.params.response_type in [
            ResponseTypes.ID_TOKEN_TOKEN,
            ResponseTypes.CODE_ID_TOKEN_TOKEN,
-            ResponseTypes.ID_TOKEN,
            ResponseTypes.CODE_TOKEN,
        ]:
            query_fragment["access_token"] = token.token