From e6d8815ac569a68df71bce4948121f48107fa0bc Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Thu, 1 Apr 2021 12:49:23 +0200
Subject: [PATCH] take into account nonce in openid

---
 app/oauth/views/authorize.py |  4 +---
 app/oauth/views/token.py     | 15 +++++++--------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/app/oauth/views/authorize.py b/app/oauth/views/authorize.py
index 8ad72bc3..bad58df2 100644
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@@ -263,7 +263,6 @@ def authorize():
 
         auth_code = None
         if ResponseType.CODE in response_types:
-            # Create authorization code
             auth_code = AuthorizationCode.create(
                 client_id=client.id,
                 user_id=current_user.id,
@@ -271,9 +270,8 @@ def authorize():
                 scope=scope,
                 redirect_uri=redirect_uri,
                 response_type=response_types_to_str(response_types),
-                nonce=nonce
+                nonce=nonce,
             )
-            db.session.add(auth_code)
             redirect_args["code"] = auth_code.code
 
         oauth_token = None
diff --git a/app/oauth/views/token.py b/app/oauth/views/token.py
index eb0dd4ef..899b196b 100644
--- a/app/oauth/views/token.py
+++ b/app/oauth/views/token.py
@@ -69,12 +69,6 @@ def token():
         access_token=generate_access_token(),
         response_type=auth_code.response_type,
     )
-    db.session.add(oauth_token)
-
-    # Auth code can be used only once
-    AuthorizationCode.delete(auth_code.id)
-
-    db.session.commit()
 
     client_user: ClientUser = ClientUser.get_by(
         client_id=auth_code.client_id, user_id=auth_code.user_id
@@ -96,7 +90,12 @@ def token():
     # Also return id_token if the initial flow is "code,id_token"
     # cf https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
     response_types = get_response_types_from_str(auth_code.response_type)
-    if ResponseType.ID_TOKEN in response_types:
-        res["id_token"] = make_id_token(client_user)
+    if ResponseType.ID_TOKEN in response_types or auth_code.scope == "openid":
+        res["id_token"] = make_id_token(client_user, nonce=auth_code.nonce)
+
+    # Auth code can be used only once
+    AuthorizationCode.delete(auth_code.id)
+
+    db.session.commit()
 
     return jsonify(res)