Closed scruoge closed 5 months ago
I've had a very quick look at this (in work) and I can see we have a verifier for an S256 code challenge. Is this not being used? Are you able to link to some code? I can have a look at this this evening but any assistance you can give in pointing to the issue in the code would be greatly appreciated. Thank you
This validation applies for both S256
and plain
code_challenge_method
, while different methods are processing code_challenge
string differently (according to RFC I've quoted above), I'm getting problem when passing code_challenge='lokeXcw5iV7Y3CGiaOdzsX0KQ15dk9P5MCs8Bb3ZphE='
, which is
$codeVerifier = base64_encode(random_bytes(32));
$codeChallenge = base64_encode(hash(algo: 'sha256', data: $codeVerifier, binary: true));
my bad. base64-url !== base64. I think the issue can be closed
closed
Current implementation of AuthCodeGrant applies wrong validation rules on code_challenge. It verifies code_challenge as if it was code_verifier, which is correct for plain code_challenge_method, but wrong for S256 code_challenge_method. This is what code_challenge parameter should be by RFC 7637 which code comment in AuthCodeGrant refers to: