AuthCodeGrant applies wrong validation rules on code_challenge

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server

https://oauth2.thephpleague.com

MIT License

6.49k stars 1.12k forks source link

AuthCodeGrant applies wrong validation rules on code_challenge #1392

Closed scruoge closed 5 months ago

scruoge commented 5 months ago

Current implementation of AuthCodeGrant applies wrong validation rules on code_challenge. It verifies code_challenge as if it was code_verifier, which is correct for plain code_challenge_method, but wrong for S256 code_challenge_method. This is what code_challenge parameter should be by RFC 7637 which code comment in AuthCodeGrant refers to:

   plain
      code_challenge = code_verifier

   S256
      code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

Sephster commented 5 months ago

I've had a very quick look at this (in work) and I can see we have a verifier for an S256 code challenge. Is this not being used? Are you able to link to some code? I can have a look at this this evening but any assistance you can give in pointing to the issue in the code would be greatly appreciated. Thank you

scruoge commented 5 months ago

https://github.com/thephpleague/oauth2-server/blob/0576f3920115d27edf661b70a784702d20f34b13/src/Grant/AuthCodeGrant.php#L328-L335

This validation applies for both S256 and plain code_challenge_method, while different methods are processing code_challenge string differently (according to RFC I've quoted above), I'm getting problem when passing code_challenge='lokeXcw5iV7Y3CGiaOdzsX0KQ15dk9P5MCs8Bb3ZphE=', which is

$codeVerifier = base64_encode(random_bytes(32));
$codeChallenge = base64_encode(hash(algo: 'sha256', data: $codeVerifier, binary: true));

scruoge commented 5 months ago

my bad. base64-url !== base64. I think the issue can be closed

scruoge commented 5 months ago

closed