From 4e3aef22a1eed62fda16b4d48df34fd45a85309e Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Wed, 16 May 2018 11:24:48 +0200
Subject: [PATCH] Fail if the response type is not properly set

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 .../lib/Controller/LoginRedirectorController.php      | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/apps/oauth2/lib/Controller/LoginRedirectorController.php b/apps/oauth2/lib/Controller/LoginRedirectorController.php
index 9237b4b1b3..8e6d6d55e2 100644
--- a/apps/oauth2/lib/Controller/LoginRedirectorController.php
+++ b/apps/oauth2/lib/Controller/LoginRedirectorController.php
@@ -61,11 +61,20 @@ class LoginRedirectorController extends Controller {
 	 *
 	 * @param string $client_id
 	 * @param string $state
+	 * @param string $response_type
 	 * @return RedirectResponse
 	 */
 	public function authorize($client_id,
-							  $state) {
+							  $state,
+							  $response_type) {
 		$client = $this->clientMapper->getByIdentifier($client_id);
+
+		if ($response_type !== 'code') {
+			//Fail
+			$url = $client->getRedirectUri() . '?error=unsupported_response_type&state=' . $state;
+			return new RedirectResponse($url);
+		}
+
 		$this->session->set('oauth.state', $state);
 
 		$targetUrl = $this->urlGenerator->linkToRouteAbsolute(