Remove built-in support for the none flow

8 years ago · 6471384676
2 changed files with 23 additions and 3 deletions
--- a/src/OpenIddict/OpenIddictProvider.Authentication.cs
+++ b/src/OpenIddict/OpenIddictProvider.Authentication.cs
@ -112,9 +112,8 @@ namespace OpenIddict
            var options = (OpenIddictOptions) context.Options;

            // Note: the OpenID Connect server middleware supports authorization code, implicit, hybrid,
-            // none and custom flows but OpenIddict uses a stricter policy rejecting unknown flows.
-            if (!context.Request.IsAuthorizationCodeFlow() && !context.Request.IsHybridFlow() &&
-                !context.Request.IsImplicitFlow() && !context.Request.IsNoneFlow())
+            // none and custom flows but OpenIddict uses a stricter policy rejecting none and custum flows.
+            if (!context.Request.IsAuthorizationCodeFlow() && !context.Request.IsHybridFlow() && !context.Request.IsImplicitFlow())
            {
                Logger.LogError("The authorization request was rejected because the '{ResponseType}' " +
                                "response type is not supported.", context.Request.ResponseType);
--- a/test/OpenIddict.Tests/OpenIddictProviderTests.Authentication.cs
+++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Authentication.cs
@ -114,6 +114,27 @@ namespace OpenIddict.Tests
            Assert.Equal("The specified 'request_id' parameter is invalid.", response.ErrorDescription);
        }

+        [Fact]
+        public async Task ValidateAuthorizationRequest_NoneFlowIsRejected()
+        {
+            // Arrange
+            var server = CreateAuthorizationServer();
+
+            var client = new OpenIdConnectClient(server.CreateClient());
+
+            // Act
+            var response = await client.PostAsync(AuthorizationEndpoint, new OpenIdConnectRequest
+            {
+                ClientId = "Fabrikam",
+                RedirectUri = "http://www.fabrikam.com/path",
+                ResponseType = OpenIdConnectConstants.ResponseTypes.None
+            });
+
+            // Assert
+            Assert.Equal(OpenIdConnectConstants.Errors.UnsupportedResponseType, response.Error);
+            Assert.Equal("The specified 'response_type' parameter is not supported.", response.ErrorDescription);
+        }
+
        [Fact]
        public async Task ValidateAuthorizationRequest_UnknownResponseTypeParameterIsRejected()
        {