Firstyear
commented
3 years ago Additionally, can you please confirm if your example site still works on gitlab? If so, then we need to inform gitlab that they may not be verifying pkce correctly.
Open Firstyear opened 3 years ago
Firstyear
commented
3 years ago Additionally, can you please confirm if your example site still works on gitlab? If so, then we need to inform gitlab that they may not be verifying pkce correctly.
Hi there,
This example repo appears to have a security flaw.
During the login process, you call set_pkce_challenge during the initial oauth call, however during exchange_code, you do not call set_pkce_verifier. This means that a strict oauth server can not proceed to validate the pkce values which means the token retrieval will fail.
https://docs.rs/oauth2/4.0.0/oauth2/struct.CodeTokenRequest.html#method.set_pkce_verifier