Merge remote-tracking branch 'origin/main'

Author: gschier

plugins/auth-oauth2/src/grants/implicit.ts

@@ -31,7 +31,7 @@ export function getImplicit(
     }
 
     const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
-    authorizationUrl.searchParams.set('response_type', 'code');
+    authorizationUrl.searchParams.set('response_type', 'token');
     authorizationUrl.searchParams.set('client_id', clientId);
     if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
     if (scope) authorizationUrl.searchParams.set('scope', scope);
@@ -42,25 +42,33 @@ export function getImplicit(
     }
 
     const authorizationUrlStr = authorizationUrl.toString();
+    let foundAccessToken = false;
     let { close } = await ctx.window.openUrl({
       url: authorizationUrlStr,
       label: 'oauth-authorization-url',
+      async onClose() {
+        if (!foundAccessToken) {
+          reject(new Error('Authorization window closed'));
+        }
+      },
       async onNavigate({ url: urlStr }) {
         const url = new URL(urlStr);
         if (url.searchParams.has('error')) {
           return reject(Error(`Failed to authorize: ${url.searchParams.get('error')}`));
         }
 
-        // Close the window here, because we don't need it anymore
-        close();
-
         const hash = url.hash.slice(1);
         const params = new URLSearchParams(hash);
-        const idToken = params.get('id_token');
-        if (idToken) {
-          params.set('access_token', idToken);
-          params.delete('id_token');
+
+        const accessToken = params.get('access_token');
+        if (!accessToken) {
+          return;
         }
+        foundAccessToken = true;
+
+        // Close the window here, because we don't need it anymore
+        close();
+
         const response = Object.fromEntries(params) as unknown as AccessTokenRawResponse;
         try {
           resolve(await storeToken(ctx, contextId, response));