search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
22.49k stars 2.98k forks source link

fix: strip `code_verifier` from request body when the provider doesn't support PKCE #10765

Closed balazsorban44 closed 2 weeks ago

balazsorban44 commented 2 weeks ago

Fixes #8831

Some providers choke when there is a code_verifier param on a request that they cannot handle (like LinkedIn not supporting PKCE), even if this is not according to the spec.

Per spec:

The authorization server MUST ignore unrecognized request parameters.

https://datatracker.ietf.org/doc/html/rfc6749#section-3.2

Servers that support PKCE are required to support "S256", and servers that do not support PKCE will simply ignore the unknown "code_verifier".

https://datatracker.ietf.org/doc/html/rfc7636#section-7.2

This PR strips the unwanted param if the provider is configured without checks: ["pkce"]

vercel[bot] commented 2 weeks ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
auth-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 29, 2024 7:55pm
2 Ignored Deployments | Name | Status | Preview | Comments | Updated (UTC) | | :--- | :----- | :------ | :------- | :------ | | **next-auth-docs** | ⬜️ Ignored ([Inspect](https://vercel.com/authjs/next-auth-docs/GNrdapmngqUUwKbGdvaxzXSPYAMZ)) | [Visit Preview](https://next-auth-docs-git-fix-linkedin-authjs.vercel.app) | | Apr 29, 2024 7:55pm | | **proxy** | ⬜️ Ignored ([Inspect](https://vercel.com/authjs/proxy/6K3Q1PR9YiAn8Yjr27mUzLTQF4YV)) | [Visit Preview](https://proxy-git-fix-linkedin-authjs.vercel.app) | | Apr 29, 2024 7:55pm |
codecov[bot] commented 2 weeks ago

Codecov Report

Attention: Patch coverage is 30.76923% with 9 lines in your changes are missing coverage. Please review.

Project coverage is 41.46%. Comparing base (f762906) to head (7f4c6ed).

Files Patch % Lines
...es/core/src/lib/actions/callback/oauth/callback.ts 33.33% 8 Missing :warning:
packages/core/src/providers/linkedin.ts 0.00% 1 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #10765 +/- ## ========================================== - Coverage 41.46% 41.46% -0.01% ========================================== Files 172 172 Lines 28236 28240 +4 Branches 1171 1172 +1 ========================================== + Hits 11709 11710 +1 - Misses 16527 16530 +3 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.