From a02fcb0a7acb0837c2cb868740019fa76135ec5a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 19 Sep 2020 18:33:22 +0200
Subject: [PATCH] providers/oauth2: use # as separate for code#adfs, check if #
 exists in response_type and trim

---
 passbook/providers/oauth2/models.py          |  2 +-
 passbook/providers/oauth2/views/authorize.py | 11 +++++++++--
 swagger.yaml                                 |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/passbook/providers/oauth2/models.py b/passbook/providers/oauth2/models.py
index 67773ccd0..73b22cf9f 100644
--- a/passbook/providers/oauth2/models.py
+++ b/passbook/providers/oauth2/models.py
@@ -71,7 +71,7 @@ class ResponseTypes(models.TextChoices):
 
     CODE = "code", _("code (Authorization Code Flow)")
     CODE_ADFS = (
-        "code_adfs",
+        "code#adfs",
         _("code (ADFS Compatibility Mode, sends id_token as access_token)"),
     )
     ID_TOKEN = "id_token", _("id_token (Implicit Flow)")
diff --git a/passbook/providers/oauth2/views/authorize.py b/passbook/providers/oauth2/views/authorize.py
index b4bb544ef..4fef195c1 100644
--- a/passbook/providers/oauth2/views/authorize.py
+++ b/passbook/providers/oauth2/views/authorize.py
@@ -163,8 +163,15 @@ class OAuthAuthorizationParams:
             raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)
 
         # Response type parameter validation.
-        if is_open_id and self.response_type != self.provider.response_type:
-            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type)
+        if is_open_id:
+            actual_response_type = self.provider.response_type
+            if "#" in self.provider.response_type:
+                hash_index = actual_response_type.index("#")
+                actual_response_type = actual_response_type[:hash_index]
+            if self.response_type != actual_response_type:
+                raise AuthorizeError(
+                    self.redirect_uri, "invalid_request", self.grant_type
+                )
 
         # PKCE validation of the transformation method.
         if self.code_challenge:
diff --git a/swagger.yaml b/swagger.yaml
index 40576c72e..4ac9d3311 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -6633,7 +6633,7 @@ definitions:
         type: string
         enum:
           - code
-          - code_adfs
+          - code#adfs
           - id_token
           - id_token token
           - code token