Closed cheesemacfly closed 6 years ago
@cheesemacfly great find, thank you! I'll update the client with nanoid instead of uuid and adjust the length appropriately.
or better, yet, not requiring a library for something this trivial https://github.com/panva/node-openid-client/compare/60d0cb8...ea4a8fd
Woa, that was super fast!
LGTM, just as a side note nanoid doesn't use as many characters as allowed for the code_verifier but I don't think that's an issue. Also 43 characters is the minimum length, maybe we could allow for more (up to 128) as an option? Either way, thanks for the quick fix and the work you've done with this library!
EDIT: by many characters as allowed I mean that nanoid will use A-Za-z0-9_~
while we're allowed to use A-Za-z0-9_~.-
.
As is it follows the recomendation
It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence. The octet sequence is then base64url-encoded to produce a 43-octet URL safe string to use as the code verifier.
I was actually looking at the first commit not the last one for some reason. Great fix, thanks!
In the passport strategy
uuid()
is being used to generate thecode_verifier
butuuid()
is too short and limits the characters that can be used for thecode_verifier
.uuid()
always generates 36 characters but the RFC 7636 requires acode_verifier
of at least 43 characters.I'd suggest generating the
code_verifier
using something similar to this:I can create a PR if needed.