Revert "feat(op): always verify code challenge when available (#721)"

Breaks OIDC for some not yet updated applications, that we use. This reverts commit c51628ea27.
2025-06-20 08:44:27 +02:00 · 2025-06-20 08:44:27 +02:00 · 154fbe6420
commit 154fbe6420
parent d6e37fa741
6 changed files with 15 additions and 42 deletions
--- a/example/client/app/app.go
+++ b/example/client/app/app.go
@ -7,7 +7,6 @@ import (
 	"log/slog"
 	"net/http"
 	"os"
-	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@ -35,14 +34,6 @@ func main() {
 	scopes := strings.Split(os.Getenv("SCOPES"), " ")
 	responseMode := os.Getenv("RESPONSE_MODE")

-	var pkce bool
-	if pkceEnv, ok := os.LookupEnv("PKCE"); ok {
-		var err error
-		pkce, err = strconv.ParseBool(pkceEnv)
-		if err != nil {
-			logrus.Fatalf("error parsing PKCE %s", err.Error())
-		}
-	}
 	redirectURI := fmt.Sprintf("http://localhost:%v%v", port, callbackPath)
 	cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())

@ -73,9 +64,6 @@ func main() {
 	if keyPath != "" {
 		options = append(options, rp.WithJWTProfile(rp.SignerFromKeyPath(keyPath)))
 	}
-	if pkce {
-		options = append(options, rp.WithPKCE(cookieHandler))
-	}

 	// One can add a logger to the context,
 	// pre-defining log attributes as required.
--- a/example/server/exampleop/templates/login.html
+++ b/example/server/exampleop/templates/login.html
@ -25,5 +25,5 @@
            <button type="submit">Login</button>
        </form>
    </body>
-</html>
-{{- end }}
+</html>`
+{{- end }}
--- a/example/server/storage/oidc.go
+++ b/example/server/storage/oidc.go
@ -18,7 +18,7 @@ const (
 	// CustomClaim is an example for how to return custom claims with this library
 	CustomClaim = "custom_claim"

-	// CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchange
+	// CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchage
 	CustomScopeImpersonatePrefix = "custom_scope:impersonate:"
 )

@ -143,14 +143,6 @@ func MaxAgeToInternal(maxAge *uint) *time.Duration {
 }

 func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthRequest {
-	var codeChallenge *OIDCCodeChallenge
-	if authReq.CodeChallenge != "" {
-		codeChallenge = &OIDCCodeChallenge{
-			Challenge: authReq.CodeChallenge,
-			Method:    string(authReq.CodeChallengeMethod),
-		}
-	}
-
 	return &AuthRequest{
 		CreationDate:  time.Now(),
 		ApplicationID: authReq.ClientID,
@ -165,7 +157,10 @@ func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthReques
 		ResponseType:  authReq.ResponseType,
 		ResponseMode:  authReq.ResponseMode,
 		Nonce:         authReq.Nonce,
-		CodeChallenge: codeChallenge,
+		CodeChallenge: &OIDCCodeChallenge{
+			Challenge: authReq.CodeChallenge,
+			Method:    string(authReq.CodeChallengeMethod),
+		},
 	}
 }

--- a/pkg/op/op_test.go
+++ b/pkg/op/op_test.go
@ -102,7 +102,6 @@ func TestRoutes(t *testing.T) {
 	authReq, err := storage.CreateAuthRequest(ctx, oidcAuthReq, "id1")
 	require.NoError(t, err)
 	storage.AuthRequestDone(authReq.GetID())
-	storage.SaveAuthCode(ctx, authReq.GetID(), "123")

 	accessToken, refreshToken, _, err := op.CreateAccessToken(ctx, authReq, op.AccessTokenTypeBearer, testProvider, client, "")
 	require.NoError(t, err)
--- a/pkg/op/server_http_routes_test.go
+++ b/pkg/op/server_http_routes_test.go
@ -130,7 +130,7 @@ func TestServerRoutes(t *testing.T) {
 				"client_id":     client.GetID(),
 				"client_secret": "secret",
 				"redirect_uri":  "https://example.com",
-				"code":          "abc",
+				"code":          "123",
 			},
 			wantCode: http.StatusBadRequest,
 			json:     `{"error":"invalid_grant", "error_description":"invalid code"}`,
--- a/pkg/op/token_code.go
+++ b/pkg/op/token_code.go
@ -74,17 +74,6 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 	ctx, span := tracer.Start(ctx, "AuthorizeCodeClient")
 	defer span.End()

-	request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	codeChallenge := request.GetCodeChallenge()
-	err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
-	if err != nil {
-		return nil, nil, err
-	}
-
 	if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
 		jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
 		if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
@ -94,9 +83,9 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 		if err != nil {
 			return nil, nil, err
 		}
+		request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 		return request, client, err
 	}
-
 	client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
 	if err != nil {
 		return nil, nil, oidc.ErrInvalidClient().WithParent(err)
@ -105,10 +94,12 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 		return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client")
 	}
 	if client.AuthMethod() == oidc.AuthMethodNone {
-		if codeChallenge == nil {
-			return nil, nil, oidc.ErrInvalidRequest().WithDescription("PKCE required")
+		request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
+		if err != nil {
+			return nil, nil, err
 		}
-		return request, client, nil
+		err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
+		return request, client, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
 		return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported")
@ -117,7 +108,7 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 	if err != nil {
 		return nil, nil, err
 	}
-
+	request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 	return request, client, err
 }