From c85281b29fae3324423426e40c15be89c2bd15f3 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sleede.com>
Date: Tue, 19 Apr 2022 17:39:42 +0200
Subject: [PATCH] (api) automatically configure the openID response_type

---
 app/controllers/api/auth_providers_controller.rb         | 2 +-
 .../authentication-provider/openid-connect-form.tsx      | 9 ---------
 app/models/open_id_connect_provider.rb                   | 5 +++++
 app/views/api/auth_providers/show.json.jbuilder          | 2 +-
 config/locales/app.admin.en.yml                          | 4 ----
 5 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/app/controllers/api/auth_providers_controller.rb b/app/controllers/api/auth_providers_controller.rb
index 9b94fe50b..8eb5dfb5e 100644
--- a/app/controllers/api/auth_providers_controller.rb
+++ b/app/controllers/api/auth_providers_controller.rb
@@ -96,7 +96,7 @@ class API::AuthProvidersController < API::ApiController
     elsif params['auth_provider']['providable_type'] == OpenIdConnectProvider.name
       params.require(:auth_provider)
             .permit(:name, :providable_type,
-                    providable_attributes: %i[id issuer discovery client_auth_method scope response_type prompt
+                    providable_attributes: %i[id issuer discovery client_auth_method scope prompt
                                               send_scope_to_token_endpoint post_logout_redirect_uri uid_field extra_authorize_params
                                               allow_authorize_params client__identifier client__secret client__redirect_uri
                                               client__scheme client__host client__port client__authorization_endpoint client__token_endpoint
diff --git a/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx b/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx
index b3d4e1fa9..96e6267d6 100644
--- a/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx
+++ b/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx
@@ -103,15 +103,6 @@ export const OpenidConnectForm = <TFieldValues extends FieldValues, TContext ext
                  label={t('app.admin.authentication.openid_connect_form.scope')}
                  placeholder="openid,profile,email"
                  tooltip={t('app.admin.authentication.openid_connect_form.scope_help')} />
-      <FormSelect id="providable_attributes.response_type"
-                  label={t('app.admin.authentication.openid_connect_form.response_type')}
-                  tooltip={t('app.admin.authentication.openid_connect_form.response_type_help')}
-                  options={[
-                    { value: 'code', label: t('app.admin.authentication.openid_connect_form.response_type_code') },
-                    { value: 'id_token', label: t('app.admin.authentication.openid_connect_form.response_type_id_token') }
-                  ]}
-                  valueDefault={'code'}
-                  control={control} />
       <FormSelect id="providable_attributes.prompt"
                   label={t('app.admin.authentication.openid_connect_form.prompt')}
                   tooltip={<HtmlTranslate trKey="app.admin.authentication.openid_connect_form.prompt_help_html" />}
diff --git a/app/models/open_id_connect_provider.rb b/app/models/open_id_connect_provider.rb
index 0bd4badf3..44b2a616c 100644
--- a/app/models/open_id_connect_provider.rb
+++ b/app/models/open_id_connect_provider.rb
@@ -21,6 +21,7 @@ class OpenIdConnectProvider < ApplicationRecord
   before_validation :set_client_scheme_host_port
   before_validation :set_redirect_uri
   before_validation :set_display
+  before_validation :set_response_type
 
   def config
     OpenIdConnectProvider.columns.map(&:name).filter { |n| !n.start_with?('client__') && n != 'profile_url' }.map do |n|
@@ -52,6 +53,10 @@ class OpenIdConnectProvider < ApplicationRecord
     self.response_mode = 'query'
   end
 
+  def set_response_type
+    self.response_type = 'code'
+  end
+
   def set_client_scheme_host_port
     require 'uri'
 
diff --git a/app/views/api/auth_providers/show.json.jbuilder b/app/views/api/auth_providers/show.json.jbuilder
index b30d4c285..53aaf6363 100644
--- a/app/views/api/auth_providers/show.json.jbuilder
+++ b/app/views/api/auth_providers/show.json.jbuilder
@@ -12,7 +12,7 @@ end
 
 if @provider.providable_type == OpenIdConnectProvider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :issuer, :discovery, :client_auth_method, :scope, :response_type,
+    json.extract! @provider.providable, :id, :issuer, :discovery, :client_auth_method, :scope,
                   :prompt, :send_scope_to_token_endpoint, :post_logout_redirect_uri, :uid_field, :client__identifier, :client__secret,
                   :client__redirect_uri, :client__scheme, :client__host, :client__port, :client__authorization_endpoint,
                   :client__token_endpoint, :client__userinfo_endpoint, :client__jwks_uri, :client__end_session_endpoint, :profile_url
diff --git a/config/locales/app.admin.en.yml b/config/locales/app.admin.en.yml
index 55953b401..6ae95c11d 100644
--- a/config/locales/app.admin.en.yml
+++ b/config/locales/app.admin.en.yml
@@ -1113,10 +1113,6 @@ en:
           client_auth_method_jwks: "JWKS"
           scope: "Scope"
           scope_help: "Which OpenID scopes to include (openid is always required)"
-          response_type: "Response type"
-          response_type_help: "Which OpenID response type to use with the authorization request. This is usually 'code'"
-          response_type_code: "Code"
-          response_type_id_token: "Id token"
           prompt: "Prompt"
           prompt_help_html: "Which OpenID pages the user will be shown. <br> <b>None</b> - no authentication or consent user interface pages are shown. <br> <b>Login</b> - the authorization server prompt the user for reauthentication. <br> <b>Consent</b> - the authorization server prompt the user for consent before returning information to Fab-manager. <br> <b>Select account</b> - the authorization server prompt the user to select a user account."
           prompt_none: "None"