You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 12, 2021. It is now read-only.
In configurations with PKCE enabled as not essential, and plain challenge method not supported, authentication requests without PKCE parameters fail. The reason behind this is that because the challenge method is missing, plain is set and afterwards a check for the code_challenge_method validity fails, because we do not support plain. I suppose that this check must be done only in case code_challenge is included in the request.
add_pkce_support method assumes both authorization and token endpoints are configured so it makes no checks before trying to add PKCE hook methods. As a result it crashes if either is missing. I propose that instead of crashing we make the required checks and in the case either is missing, we log a warning and skip the configuration.
We have found two (corner case) issues with PKCE:
In configurations with PKCE enabled as not essential, and
plainchallenge method not supported, authentication requests without PKCE parameters fail. The reason behind this is that because the challenge method is missing,plainis set and afterwards a check for thecode_challenge_methodvalidity fails, because we do not supportplain. I suppose that this check must be done only in casecode_challengeis included in the request.add_pkce_supportmethod assumes bothauthorizationandtokenendpoints are configured so it makes no checks before trying to add PKCE hook methods. As a result it crashes if either is missing. I propose that instead of crashing we make the required checks and in the case either is missing, we log a warning and skip the configuration.