Closed linuxwolf closed 7 years ago
rfk
commented
7 years ago Hrm, it also looks like we're accepting arbitrary strings, while the spec says it should only contain b64urlsafe characters "with a minimum length of 43 characters and a maximum length of 128 characters".
linuxwolf
commented
7 years ago Ignoring impacts to any existing clients, the fix is very straightforward: https://github.com/mozilla/fxa-oauth-server/compare/master...linuxwolf:pkce_code_verifier
The question, though, is what impact is acceptable to existing implementations?
vladikoff
commented
7 years ago The question, though, is what impact is acceptable to existing implementations?
You mean if it breaks other PKCE users? It's just Firefox Notes and we can fix it up in the sync branch 👍
linuxwolf
commented
7 years ago The only other implementation (pending) I'm aware of is Lockbox. As long as we've got a bit of fair warning when this makes it to the scoped-keys dev server, we should be fine, too.
vladikoff
commented
7 years ago @linuxwolf fix deployed to https://oauth-scoped-keys-oct10.dev.lcip.org/ server that has your lockbox prototype clients
This implementation forces
code_verifierto be exactly 32 (ASCII) characters long. However, according to RFC 7636 § 4.1, thecode_verifieris expected to be between 32 and 128 (ASCII) characters long.