Skip to content
This repository was archived by the owner on Jun 12, 2021. It is now read-only.
This repository was archived by the owner on Jun 12, 2021. It is now read-only.

PKCE issues #93

Closed
Closed
PKCE issues#93
@angelakis

Description

@angelakis
angelakis
opened on Oct 21, 2020

We have found two (corner case) issues with PKCE:

  • In configurations with PKCE enabled as not essential, and plain challenge method not supported, authentication requests without PKCE parameters fail. The reason behind this is that because the challenge method is missing, plain is set and afterwards a check for the code_challenge_method validity fails, because we do not support plain. I suppose that this check must be done only in case code_challenge is included in the request.

  • add_pkce_support method assumes both authorization and token endpoints are configured so it makes no checks before trying to add PKCE hook methods. As a result it crashes if either is missing. I propose that instead of crashing we make the required checks and in the case either is missing, we log a warning and skip the configuration.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions