OIDC request_type "code token" does not save access token

[kazkansouh]

I was experimenting with django-oauth-toolkit and noticed when setting a request type of code token the returned access token was not valid because it was not saved into the database. Looking into the issue I believe that during the hybrid flow for code, after the token is generated there is a missing call to request_validator.save_token(code, request).

That is, the following code:

oauthlib/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py

Lines 272 to 279 in d54965b

	grant = self.create_authorization_code(request)
	for modifier in self._code_modifiers:
	grant = modifier(grant, token_handler, request)
	log.debug('Saving grant %r for %r.', grant, request)
	self.request_validator.save_authorization_code(
	request.client_id, grant, request)
	return self.prepare_authorization_response(
	request, grant, {}, None, 302)

After oauth2.rfc6749.grant_types.base.GrantTypeBase.add_token is called as a modifier there is no corresponding call to request_validator.save_token. That is, I would have expected (based on examining the implicit flow) to see something like the following present:

if 'access_token' in grant:
  self.request_validator.save_token(grant, request)

Alternatively, if save_authorization_code is expected to make this check then this is an issue for the django-oauth-toolkit project.

Version

$ pip3 freeze | grep oauth
django-oauth-toolkit==1.5.0
oauthlib==3.1.0

[JonathanHuot]

Hi, it seems a mistake for hybrid mode; I suppose a problem of oauthlib itself. Does anyone has some time to have a look on it for a PR ?

[kazkansouh]

I'd be happy to submit a PR that implements the solution I outlined above - assuming it is good?

[JonathanHuot]

That would be very kind, yes.