From ade60bf07bbe180f4439ffa7e6d1431caf4c33f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 17 May 2022 19:53:23 +0200
Subject: [PATCH] Fix various issues with the hybrid flow

---
 .../Controllers/ApplicationController.cs      | 20 +++++++++++++++++--
 .../OpenIdApplicationExtensions.cs            | 10 +++++-----
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs b/src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs
index d09b58eac8d..f8159b6b2cd 100644
--- a/src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs
+++ b/src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs
@@ -204,9 +204,25 @@ public async Task<IActionResult> Edit(string id, string returnUrl = null)
 
             var model = new EditOpenIdApplicationViewModel
             {
-                AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode),
+                AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) &&
+                                             await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Code),
+
                 AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials),
-                AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit),
+
+                // Note: the hybrid flow doesn't have a dedicated grant_type but is treated as a combination
+                // of both the authorization code and implicit grants. As such, to determine whether the hybrid
+                // flow is enabled, both the authorization code grant and the implicit grant MUST be enabled.
+                AllowHybridFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) &&
+                                  await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) &&
+                                  (await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken) ||
+                                   await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken) ||
+                                   await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeToken)),
+
+                AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) &&
+                                    (await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdToken) ||
+                                     await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdTokenToken) ||
+                                     await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Token)),
+
                 AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password),
                 AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
                 AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout),
diff --git a/src/OrchardCore.Modules/OrchardCore.OpenId/OpenIdApplicationExtensions.cs b/src/OrchardCore.Modules/OrchardCore.OpenId/OpenIdApplicationExtensions.cs
index d2458c8871d..edce158ca81 100644
--- a/src/OrchardCore.Modules/OrchardCore.OpenId/OpenIdApplicationExtensions.cs
+++ b/src/OrchardCore.Modules/OrchardCore.OpenId/OpenIdApplicationExtensions.cs
@@ -64,7 +64,7 @@ public static async Task UpdateDescriptorFromSettings(this IOpenIdApplicationMan
                 descriptor.Permissions.Remove(OpenIddictConstants.Permissions.Endpoints.Logout);
             }
 
-            if (model.AllowAuthorizationCodeFlow)
+            if (model.AllowAuthorizationCodeFlow || model.AllowHybridFlow)
             {
                 descriptor.Permissions.Add(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode);
             }
@@ -82,7 +82,7 @@ public static async Task UpdateDescriptorFromSettings(this IOpenIdApplicationMan
                 descriptor.Permissions.Remove(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials);
             }
 
-            if (model.AllowImplicitFlow)
+            if (model.AllowHybridFlow || model.AllowImplicitFlow)
             {
                 descriptor.Permissions.Add(OpenIddictConstants.Permissions.GrantTypes.Implicit);
             }
@@ -109,7 +109,7 @@ public static async Task UpdateDescriptorFromSettings(this IOpenIdApplicationMan
                 descriptor.Permissions.Remove(OpenIddictConstants.Permissions.GrantTypes.RefreshToken);
             }
 
-            if (model.AllowAuthorizationCodeFlow || model.AllowImplicitFlow)
+            if (model.AllowAuthorizationCodeFlow || model.AllowHybridFlow || model.AllowImplicitFlow)
             {
                 descriptor.Permissions.Add(OpenIddictConstants.Permissions.Endpoints.Authorization);
             }
@@ -118,8 +118,8 @@ public static async Task UpdateDescriptorFromSettings(this IOpenIdApplicationMan
                 descriptor.Permissions.Remove(OpenIddictConstants.Permissions.Endpoints.Authorization);
             }
 
-            if (model.AllowAuthorizationCodeFlow || model.AllowClientCredentialsFlow ||
-                model.AllowPasswordFlow || model.AllowRefreshTokenFlow)
+            if (model.AllowAuthorizationCodeFlow || model.AllowHybridFlow ||
+                model.AllowClientCredentialsFlow || model.AllowPasswordFlow || model.AllowRefreshTokenFlow)
             {
                 descriptor.Permissions.Add(OpenIddictConstants.Permissions.Endpoints.Token);
             }