take into account nonce in openid

2021-04-01 12:49:23 +02:00 · 2021-04-01 12:49:23 +02:00 · e6d8815ac5
parent 3c5706fb16
commit e6d8815ac5
2 changed files with 8 additions and 11 deletions
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@ -263,7 +263,6 @@ def authorize():

        auth_code = None
        if ResponseType.CODE in response_types:
-            # Create authorization code
            auth_code = AuthorizationCode.create(
                client_id=client.id,
                user_id=current_user.id,
@ -271,9 +270,8 @@ def authorize():
                scope=scope,
                redirect_uri=redirect_uri,
                response_type=response_types_to_str(response_types),
-                nonce=nonce
+                nonce=nonce,
            )
-            db.session.add(auth_code)
            redirect_args["code"] = auth_code.code

        oauth_token = None
--- a/app/oauth/views/token.py
+++ b/app/oauth/views/token.py
@ -69,12 +69,6 @@ def token():
        access_token=generate_access_token(),
        response_type=auth_code.response_type,
    )
-    db.session.add(oauth_token)
-
-    # Auth code can be used only once
-    AuthorizationCode.delete(auth_code.id)
-
-    db.session.commit()

    client_user: ClientUser = ClientUser.get_by(
        client_id=auth_code.client_id, user_id=auth_code.user_id
@ -96,7 +90,12 @@ def token():
    # Also return id_token if the initial flow is "code,id_token"
    # cf https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
    response_types = get_response_types_from_str(auth_code.response_type)
-    if ResponseType.ID_TOKEN in response_types:
-        res["id_token"] = make_id_token(client_user)
+    if ResponseType.ID_TOKEN in response_types or auth_code.scope == "openid":
+        res["id_token"] = make_id_token(client_user, nonce=auth_code.nonce)
+
+    # Auth code can be used only once
+    AuthorizationCode.delete(auth_code.id)
+
+    db.session.commit()

    return jsonify(res)