reject IDPs without supported response_types (#1645)

Co-authored-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>

pkg/auth/idp/oauth2/provider.go

@@ -30,6 +30,7 @@ import (
 	"time"
 
 	"github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/minio/minio-go/v7/pkg/set"
 
 	"github.com/minio/console/pkg/auth/utils"
 	"golang.org/x/crypto/pbkdf2"
@@ -142,6 +143,11 @@ func getLoginCallbackURL(r *http.Request) string {
 	return redirectURL
 }
 
+var supportedResponseTypes = set.CreateStringSet([]string{
+	"code id_token",
+	"code token id_token",
+}...)
+
 // NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials
 // it returns a *Provider object that contains the necessary configuration to initiate an
 // oauth2 authentication flow
@@ -151,6 +157,18 @@ func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.
 		return nil, err
 	}
 
+	var supported bool
+	for _, responseType := range ddoc.ResponseTypesSupported {
+		if supportedResponseTypes.Contains(responseType) {
+			supported = true
+			continue
+		}
+	}
+
+	if !supported {
+		return nil, fmt.Errorf("expected 'code id_token' response type - got %s, login not allowed", ddoc.ResponseTypesSupported)
+	}
+
 	// If provided scopes are empty we use a default list or the user configured list
 	if len(scopes) == 0 {
 		scopes = strings.Split(getIDPScopes(), ",")