response_type=id_token+token

afreakk commented 3 years ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] This issue affects my Ory Cloud project.
[X] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

If i do implicit grant with response_type=id_token+token and i configure OAuth2Client with:

  responseTypes:
    - id_token
    - token

I get The client is not allowed to request response_type 'id_token token'. BUT If i manually create the client using POST & json body with

    "response_types": [
      "id_token token"
    ],

I am allowed to do implicit grant with response_type=id_token+token. But maester wont let me configure response_types like that:

  responseTypes:
    - "id_token token"

Results in:

invalid: spec.responseTypes: Unsupported value: "id_token token": supported values: "id_token", "code", "token"

Reproducing the bug

Create kind: OAuth2Client with:
```
 responseTypes:
- "id_token token"
```

Relevant log output

No response

Relevant configuration

No response

Version

oryd/hydra-maester:v0.0.24

On which operating system are you observing this issue?

No response

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

Demonsthere commented 3 years ago

Hello there, The error is generated from this kubebuilder annotation

// +kubebuilder:validation:Enum=id_token;code;token

It seems it would be enough to expand the enum here and regen the CRD

Demonsthere commented 2 years ago

Hello there, For clarification, are you trying to pass an array, or a single field with the value of "id_token token"? The following sample is working just fine

apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: my-oauth2-client
  namespace: default
spec:
  grantTypes:
    - client_credentials
    - implicit
    - authorization_code
    - refresh_token
  responseTypes:
    - id_token
    - code
    - token
  scope: "read write"
  secretName: my-secret-123

afreakk commented 2 years ago

yeah, that deploys fine, but if you tried using multiple responseTypes in a implicit flow, you got

invalid: spec.responseTypes: Unsupported value: "id_token token": supported values: "id_token", "code", "token"

Demonsthere commented 2 years ago

I see, so basically right now we support an OR scenario, but not an AND one.

We would like to support the following options:

apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: my-oauth2-client
  namespace: default
spec:
  grantTypes:
    - client_credentials
    - implicit
    - authorization_code
    - refresh_token
  responseTypes:
    - id_token
    - code
    - token
    - code token
    - code id_token
    - id_token token
    - code id_token token
  scope: "read write"
  secretName: my-secret-123

ory / hydra-maester