First of all, thanks for your work :), it simplifies the OIDC connection a lot.
But it seems the openid-connect-client does not respect the RFC 7636 - section 4.1 about the PKCE.
Indeed, the RFC mentions that the code verifier should be included between 43 and 128 characters.
But the method that generates the code verifier in OIDCAuthenticationFilter generates 50 bits and converts it in hexadecimal after, which results in a code verifier of length of 12 or 13...
Incriminated method :
/**
* Create a random code challenge and store it in the session
* @param session
* @return
*/
protected static String createCodeVerifier(HttpSession session) {
String challenge = new BigInteger(50, new SecureRandom()).toString(16);
session.setAttribute(CODE_VERIFIER_SESSION_VARIABLE, challenge);
return challenge;
}
module: openid-connect-client
version : 1.3.4
First of all, thanks for your work :), it simplifies the OIDC connection a lot. But it seems the openid-connect-client does not respect the RFC 7636 - section 4.1 about the PKCE. Indeed, the RFC mentions that the code verifier should be included between 43 and 128 characters.
But the method that generates the code verifier in
OIDCAuthenticationFiltergenerates 50 bits and converts it in hexadecimal after, which results in a code verifier of length of 12 or 13...Incriminated method :