cloudflare · jacobbednarz · May 24, 2024 · May 22, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+access_application: Add support for Hybrid/Implicit flows and options
+```
@@ -210,6 +210,11 @@ type RefreshTokenOptions struct {
 	Lifetime string `json:"lifetime,omitempty"`
 }
 
+type AccessApplicationHybridAndImplicitOptions struct {
+	ReturnIDTokenFromAuthorizationEndpoint     *bool `json:"return_id_token_from_authorization_endpoint,omitempty"`
+	ReturnAccessTokenFromAuthorizationEndpoint *bool `json:"return_access_token_from_authorization_endpoint,omitempty"`
+}
+
 type SaasApplication struct {
 	// Items common to both SAML and OIDC
 	AppID     string     `json:"app_id,omitempty"`
@@ -230,16 +235,17 @@ type SaasApplication struct {
 	SamlAttributeTransformJsonata string                `json:"saml_attribute_transform_jsonata"`
 
 	// OIDC saas app
-	ClientID                     string               `json:"client_id,omitempty"`
-	ClientSecret                 string               `json:"client_secret,omitempty"`
-	RedirectURIs                 []string             `json:"redirect_uris,omitempty"`
-	GrantTypes                   []string             `json:"grant_types,omitempty"`
-	Scopes                       []string             `json:"scopes,omitempty"`
-	AppLauncherURL               string               `json:"app_launcher_url,omitempty"`
-	GroupFilterRegex             string               `json:"group_filter_regex,omitempty"`
-	CustomClaims                 []OIDCClaimConfig    `json:"custom_claims,omitempty"`
-	AllowPKCEWithoutClientSecret *bool                `json:"allow_pkce_without_client_secret,omitempty"`
-	RefreshTokenOptions          *RefreshTokenOptions `json:"refresh_token_options,omitempty"`
+	ClientID                     string                                     `json:"client_id,omitempty"`
+	ClientSecret                 string                                     `json:"client_secret,omitempty"`
+	RedirectURIs                 []string                                   `json:"redirect_uris,omitempty"`
+	GrantTypes                   []string                                   `json:"grant_types,omitempty"`
+	Scopes                       []string                                   `json:"scopes,omitempty"`
+	AppLauncherURL               string                                     `json:"app_launcher_url,omitempty"`
+	GroupFilterRegex             string                                     `json:"group_filter_regex,omitempty"`
+	CustomClaims                 []OIDCClaimConfig                          `json:"custom_claims,omitempty"`
+	AllowPKCEWithoutClientSecret *bool                                      `json:"allow_pkce_without_client_secret,omitempty"`
+	RefreshTokenOptions          *RefreshTokenOptions                       `json:"refresh_token_options,omitempty"`
+	HybridAndImplicitOptions     *AccessApplicationHybridAndImplicitOptions `json:"hybrid_and_implicit_options,omitempty"`
 }
 
 type AccessAppLauncherCustomization struct {

@@ -1112,7 +1112,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 					"client_id": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
 					"client_secret": "secret",
 					"redirect_uris": ["https://saas.example.com"],
-					"grant_types": ["authorization_code"],
+					"grant_types": ["authorization_code", "hybrid", "implicit"],
 					"scopes": ["openid", "email", "profile", "groups"],
 					"app_launcher_url": "https://saas.example.com",
 					"group_filter_regex": ".*",
@@ -1126,7 +1126,11 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 							"required": true,
 							"scope": "profile"
 						}
-					]
+					],
+					"hybrid_and_implicit_options": {
+						"return_id_token_from_authorization_endpoint": true,
+						"return_access_token_from_authorization_endpoint": true
+					}
 				}
 			}
 		}
@@ -1156,7 +1160,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 			ClientID:                     "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
 			ClientSecret:                 "secret",
 			RedirectURIs:                 []string{"https://saas.example.com"},
-			GrantTypes:                   []string{"authorization_code"},
+			GrantTypes:                   []string{"authorization_code", "hybrid", "implicit"},
 			Scopes:                       []string{"openid", "email", "profile", "groups"},
 			AppLauncherURL:               "https://saas.example.com",
 			GroupFilterRegex:             ".*",
@@ -1169,6 +1173,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 					Scope:    "profile",
 				},
 			},
+			HybridAndImplicitOptions: &AccessApplicationHybridAndImplicitOptions{
+				ReturnIDTokenFromAuthorizationEndpoint:     BoolPtr(true),
+				ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true),
+			},
 		},
 		CreatedAt:                &createdAt,
 		UpdatedAt:                &updatedAt,
@@ -1182,6 +1190,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 		Name: "Admin Saas Site",
 		SaasApplication: &SaasApplication{
 			AuthType:                     "oidc",
+			GrantTypes:                   []string{"authorization_code", "hybrid", "implicit"},
 			RedirectURIs:                 []string{"https://saas.example.com"},
 			AppLauncherURL:               "https://saas.example.com",
 			GroupFilterRegex:             ".*",
@@ -1194,6 +1203,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 					Scope:    "profile",
 				},
 			},
+			HybridAndImplicitOptions: &AccessApplicationHybridAndImplicitOptions{
+				ReturnIDTokenFromAuthorizationEndpoint:     BoolPtr(true),
+				ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true),
+			},
 		},
 		SessionDuration: "24h",
 	})
@@ -1208,6 +1221,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 		Name: "Admin Saas Site",
 		SaasApplication: &SaasApplication{
 			AuthType:                     "oidc",
+			GrantTypes:                   []string{"authorization_code", "hybrid", "implicit"},
 			RedirectURIs:                 []string{"https://saas.example.com"},
 			AppLauncherURL:               "https://saas.example.com",
 			GroupFilterRegex:             ".*",
@@ -1220,6 +1234,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
 					Scope:    "profile",
 				},
 			},
+			HybridAndImplicitOptions: &AccessApplicationHybridAndImplicitOptions{
+				ReturnIDTokenFromAuthorizationEndpoint:     BoolPtr(true),
+				ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true),
+			},
 		},
 		SessionDuration: "24h",
 	})