diff --git a/authentik/providers/oauth2/tests/test_authorize.py b/authentik/providers/oauth2/tests/test_authorize.py index 4447fc5f67..7aecc4d8b5 100644 --- a/authentik/providers/oauth2/tests/test_authorize.py +++ b/authentik/providers/oauth2/tests/test_authorize.py @@ -387,8 +387,7 @@ class TestAuthorize(OAuthTestCase): self.assertEqual( response.url, ( - f"http://localhost#access_token={token.token}" - f"&id_token={provider.encode(token.id_token.to_dict())}" + f"http://localhost#id_token={provider.encode(token.id_token.to_dict())}" f"&token_type={TOKEN_TYPE}" f"&expires_in={int(expires)}&state={state}" ), @@ -563,7 +562,6 @@ class TestAuthorize(OAuthTestCase): "url": "http://localhost", "title": f"Redirecting to {app.name}...", "attrs": { - "access_token": token.token, "id_token": provider.encode(token.id_token.to_dict()), "token_type": TOKEN_TYPE, "expires_in": "3600", diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index c6c1aecda7..1c9db0379b 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -150,12 +150,12 @@ class OAuthAuthorizationParams: self.check_redirect_uri() self.check_grant() self.check_scope(github_compat) - self.check_nonce() - self.check_code_challenge() if self.request: raise AuthorizeError( self.redirect_uri, "request_not_supported", self.grant_type, self.state ) + self.check_nonce() + self.check_code_challenge() def check_grant(self): """Check grant""" @@ -630,7 +630,6 @@ class OAuthFulfillmentStage(StageView): if self.params.response_type in [ ResponseTypes.ID_TOKEN_TOKEN, ResponseTypes.CODE_ID_TOKEN_TOKEN, - ResponseTypes.ID_TOKEN, ResponseTypes.CODE_TOKEN, ]: query_fragment["access_token"] = token.token