[BUG] Code verifier validation error authorizing native client with OAuth 2.0 PKCE

m0rl commented 5 months ago

Describe the bug

Using code_verifier of length 43 to authorize native client with OAuth 2.0 PKCE fails with status code 400 and error code_verifier is too short. Changing the code_verifier length to 44 works, but RFC 7636 defines minimum code_verifier length to be 43.

Severity

Major

Steps to reproduce the behavior:

Generate code_verifier = BASE64URL-ENCODE(random 32 octet sequence), code_verifier length is 43
Send code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
Try to exchange code for token using the code_verifier

Expected behavior

Exchanging code for token succeeds with code_verifier of length 43 as described by RFC 7636.

Versions:

Aidbox image version: healthsamurai/aidboxone:stable
DIGEST:sha256:10c2694f67d26e8dd71e88781b056c0c215f460f90ca66ac2426bab4380877d3

Additional Context:

Some native libraries use code_verifier = BASE64URL-ENCODE(random 32 octet sequence) by default and do not allow it to be changed by a reasonable effort.

VarvaraSemenova commented 5 months ago

@m0rl Hi, could you please clarify if the issue blocks your development with Aidbox in any way?

m0rl commented 5 months ago

@m0rl Hi, could you please clarify if the issue blocks your development with Aidbox in any way?

Hi @VarvaraSemenova, we found a temporary solution so it can wait until the next stable release without any problem.

ddegr commented 5 months ago

Thank you! It is fixed now and available on the edge, latest, and stable

m0rl commented 5 months ago

Thank you! It is fixed now and available on the edge, latest, and stable

Awesome! Thank you.

Aidbox / Issues

[BUG] Code verifier validation error authorizing native client with OAuth 2.0 PKCE #571