diff --git a/passbook/providers/oauth2/models.py b/passbook/providers/oauth2/models.py index 67773ccd0..73b22cf9f 100644 --- a/passbook/providers/oauth2/models.py +++ b/passbook/providers/oauth2/models.py @@ -71,7 +71,7 @@ class ResponseTypes(models.TextChoices): CODE = "code", _("code (Authorization Code Flow)") CODE_ADFS = ( - "code_adfs", + "code#adfs", _("code (ADFS Compatibility Mode, sends id_token as access_token)"), ) ID_TOKEN = "id_token", _("id_token (Implicit Flow)") diff --git a/passbook/providers/oauth2/views/authorize.py b/passbook/providers/oauth2/views/authorize.py index b4bb544ef..4fef195c1 100644 --- a/passbook/providers/oauth2/views/authorize.py +++ b/passbook/providers/oauth2/views/authorize.py @@ -163,8 +163,15 @@ class OAuthAuthorizationParams: raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type) # Response type parameter validation. - if is_open_id and self.response_type != self.provider.response_type: - raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type) + if is_open_id: + actual_response_type = self.provider.response_type + if "#" in self.provider.response_type: + hash_index = actual_response_type.index("#") + actual_response_type = actual_response_type[:hash_index] + if self.response_type != actual_response_type: + raise AuthorizeError( + self.redirect_uri, "invalid_request", self.grant_type + ) # PKCE validation of the transformation method. if self.code_challenge: diff --git a/swagger.yaml b/swagger.yaml index 40576c72e..4ac9d3311 100755 --- a/swagger.yaml +++ b/swagger.yaml @@ -6633,7 +6633,7 @@ definitions: type: string enum: - code - - code_adfs + - code#adfs - id_token - id_token token - code token