providers/oauth2: use # as separate for code#adfs, check if # exists in response_type and trim

2020-09-19 18:33:22 +02:00
parent c1ea605c7e
commit a02fcb0a7a
3 changed files with 11 additions and 4 deletions
--- a/passbook/providers/oauth2/views/authorize.py
+++ b/passbook/providers/oauth2/views/authorize.py
@ -163,8 +163,15 @@ class OAuthAuthorizationParams:
            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)

        # Response type parameter validation.
-        if is_open_id and self.response_type != self.provider.response_type:
-            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)
+        if is_open_id:
+            actual_response_type = self.provider.response_type
+            if "#" in self.provider.response_type:
+                hash_index = actual_response_type.index("#")
+                actual_response_type = actual_response_type[:hash_index]
+            if self.response_type != actual_response_type:
+                raise AuthorizeError(
+                    self.redirect_uri, "invalid_request", self.grant_type
+                )

        # PKCE validation of the transformation method.
        if self.code_challenge: