[FIX] auth_oauth: google rejects nonce if response_type=token

I apparently missed this case in #88871: Google's legacy flow (response_type=token) explicitly rejects a `nonce` parameter being passed in the authentication request. The nonce parameter is only accepted for an OIDC-conformant implicit flow request (aka `response_type=token id_token`). The specific endpoint doesn't seem to have any bearing on this, v1 and v2 authentication endpoints result in the same behavior. Drawback: Okta isn't supported anymore, as it requires the nonce, no if, no but, even on "legacy" auth requests, possibly others. However since these already weren't supported that's considered less of an issue than possibly breaking compatibility with existing IDP. Rejected alternative: adding `id_token` to the `response_type` to come closer to OIDC-conformant request, however that was considered too risky: Odoo clients could be using legacy IDP which also reject the nonce parameter but don't have a magic "OIDC conformant" trigger. closes odoo/odoo#91466 X-original-commit: 1fd738d9 Signed-off-by: Xavier Morel (xmo) <xmo@odoo.com> Signed-off-by: Olivier Dony <odo@odoo.com>

[FIX] auth_oauth: google rejects nonce if response_type=token
ad25c9ec · Xavier Morel · 2a101c13 · ad25c9ec
Commit ad25c9ec authored 2 years ago by Xavier Morel
--- a/addons/auth_oauth/controllers/main.py
+++ b/addons/auth_oauth/controllers/main.py
@@ -65,7 +65,7 @@ class OAuthLogin(Home):
                redirect_uri=return_url,
                scope=provider['scope'],
                state=json.dumps(state),
-                nonce=base64.urlsafe_b64encode(os.urandom(16)),
+                # nonce=base64.urlsafe_b64encode(os.urandom(16)),
            )
            provider['auth_link'] = "%s?%s" % (provider['auth_endpoint'], werkzeug.urls.url_encode(params))
        return providers