fix(oidc): do not return access token for response type id_token (#8777)

# Which Problems Are Solved Do not return an access token for implicit flow from v1 login, if the `response_type` is `id_token` # How the Problems Are Solved Do not create the access token event if if the `response_type` is `id_token`. # Additional Changes Token endpoint calls without auth request, such as machine users, token exchange and refresh token, do not have a `response_type`. For such calls the `OIDCResponseTypeUnspecified` enum is added at a `-1` offset, in order not to break existing client configs. # Additional Context - https://discord.com/channels/927474939156643850/1294001717725237298 - Fixes https://github.com/zitadel/zitadel/issues/8776
2025-08-11 21:27:42 +00:00 · 2024-11-12 17:20:48 +02:00
parent 69e9926bcc
commit 778b4041ca
9 changed files with 105 additions and 3 deletions
--- a/internal/api/oidc/token_refresh.go
+++ b/internal/api/oidc/token_refresh.go
@@ -69,6 +69,7 @@ func (s *Server) refreshTokenV1(ctx context.Context, client *Client, r *op.Clien
 		refreshToken.Actor,
 		true,
 		"",
+		domain.OIDCResponseTypeUnspecified,
 	)
 	if err != nil {
 		return nil, err