Closed m0rl closed 5 months ago
@m0rl Hi, could you please clarify if the issue blocks your development with Aidbox in any way?
@m0rl Hi, could you please clarify if the issue blocks your development with Aidbox in any way?
Hi @VarvaraSemenova, we found a temporary solution so it can wait until the next stable release without any problem.
Thank you! It is fixed now and available on the edge, latest, and stable
Thank you! It is fixed now and available on the edge, latest, and stable
Awesome! Thank you.
Describe the bug
Using
code_verifier
of length43
to authorize native client with OAuth 2.0 PKCE fails with status code400
and errorcode_verifier is too short
. Changing thecode_verifier
length to44
works, but RFC 7636 defines minimumcode_verifier
length to be43
.Severity
Major
Steps to reproduce the behavior:
code_verifier = BASE64URL-ENCODE(random 32 octet sequence)
,code_verifier
length is43
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
code
fortoken
using thecode_verifier
Expected behavior
Exchanging
code
fortoken
succeeds withcode_verifier
of length43
as described by RFC 7636.Versions:
DIGEST:sha256:10c2694f67d26e8dd71e88781b056c0c215f460f90ca66ac2426bab4380877d3
Additional Context:
Some native libraries use
code_verifier = BASE64URL-ENCODE(random 32 octet sequence)
by default and do not allow it to be changed by a reasonable effort.