openid: hybrid flow using token+code+id_token returns multiple toke…

…ns of the same type - closes #99
ory · Sep 22, 2016 · d681fc8 · d681fc8
1 parent 7afff30
commit d681fc8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/handler/openid/flow_hybrid.go b/handler/openid/flow_hybrid.go
@@ -63,7 +63,6 @@ func (c *OpenIDConnectHybridHandler) HandleAuthorizeEndpointRequest(ctx context.
 		}
 
 		resp.AddFragment("code", code)
-		resp.AddFragment("state", ar.GetState())
 		ar.SetResponseTypeHandled("code")
 
 		hash, err := c.Enigma.Hash([]byte(resp.GetFragment().Get("code")))
@@ -94,13 +93,15 @@ func (c *OpenIDConnectHybridHandler) HandleAuthorizeEndpointRequest(ctx context.
 
 	if err := c.IDTokenHandleHelper.IssueImplicitIDToken(ctx, req, ar, resp); err != nil {
 		return errors.Wrap(err, err.Error())
-	} else if err := c.IDTokenHandleHelper.IssueImplicitIDToken(ctx, req, ar, resp); err != nil {
-		return errors.Wrap(err, err.Error())
 	}
 
 	// there is no need to check for https, because implicit flow does not require https
 	// https://tools.ietf.org/html/rfc6819#section-4.4.2
 
+	if resp.GetFragment().Get("state") == "" {
+		resp.AddFragment("state", ar.GetState())
+	}
+
 	ar.SetResponseTypeHandled("id_token")
 	return nil
 }
diff --git a/handler/openid/flow_implicit.go b/handler/openid/flow_implicit.go
@@ -24,6 +24,9 @@ type OpenIDConnectImplicitHandler struct {
 func (c *OpenIDConnectImplicitHandler) HandleAuthorizeEndpointRequest(ctx context.Context, req *http.Request, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
 	if !(ar.GetGrantedScopes().Has("openid") && (ar.GetResponseTypes().Has("token", "id_token") || ar.GetResponseTypes().Exact("id_token"))) {
 		return nil
+	} else if ar.GetResponseTypes().Has("code") {
+		// hybrid flow
+		return nil
 	}
 
 	if !ar.GetClient().GetGrantTypes().Has("implicit") {