lib/uaa/token_issuer.rb in cf-uaa-lib-3.2.3 vs lib/uaa/token_issuer.rb in cf-uaa-lib-3.2.4

@@ -82,11 +82,11 @@
 
   def authorize_path_args(response_type, redirect_uri, scope, state = random_state, args = {})
     params = args.merge(:client_id => @client_id, :response_type => response_type,
         :redirect_uri => redirect_uri, :state => state)
     params[:scope] = scope = Util.strlist(scope) if scope = Util.arglist(scope)
-    params[:nonce], params[:response_type] = state, "#{response_type} id_token" if scope && scope.include?('openid')
+    params[:nonce] = state
     "/oauth/authorize?#{Util.encode_form(params)}"
   end
 
   def jkey(k) @key_style ? k : k.to_s end
 
@@ -132,11 +132,13 @@
   #   the keys retrieved by {#prompts}.
   # @return [TokenInfo]
   def implicit_grant_with_creds(credentials, scope = nil)
     # this manufactured redirect_uri is a convention here, not part of OAuth2
     redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}"
-    uri = authorize_path_args("token", redir_uri, scope, state = random_state)
+    response_type = "token"
+    response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
+    uri = authorize_path_args(response_type, redir_uri, scope, state = random_state)
 
     # the accept header is only here so the uaa will issue error replies in json to aid debugging
     headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8 }
     body = Util.encode_form(credentials.merge(:source => 'credentials'))
     status, body, headers = request(@target, :post, uri, body, headers)
@@ -152,10 +154,12 @@
   # Constructs a uri that the client is to return to the browser to direct
   # the user to the authorization server to get an authcode.
   # @param [String] redirect_uri (see #authcode_uri)
   # @return [String]
   def implicit_uri(redirect_uri, scope = nil)
-    @target + authorize_path_args("token", redirect_uri, scope)
+    response_type = "token"
+    response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
+    @target + authorize_path_args(response_type, redirect_uri, scope)
   end
 
   # Gets a token via an implicit grant.
   # @param [String] implicit_uri must be from a previous call to
   #   {#implicit_uri}, contains state used to validate the contents of the