cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revert "feat(op): always verify code challenge when available (#721)"
Some checks failed
Code scanning - action / CodeQL-Build (push) Failing after 2m48s
Details
Release / Go 1.23 test (push) Has been cancelled
Details
Release / Go 1.24 test (push) Has been cancelled
Details
Release / release (push) Has been cancelled
Details

Browse source 
Breaks OIDC for some not yet updated applications, that we use.

This reverts commit c51628ea27.
This commit is contained in:
ORZ (Paul Orzel) 2025-06-20 08:44:27 +02:00
parent d6e37fa741
commit 154fbe6420
6 changed files with 15 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

12
example/client/app/app.go
View file

@ -7,7 +7,6 @@ import (
"log/slog"
"net/http"
"os"
"strconv"
"strings"
"sync/atomic"
"time"
@ -35,14 +34,6 @@ func main() {
scopes := strings.Split(os.Getenv("SCOPES"), " ")
responseMode := os.Getenv("RESPONSE_MODE")
var pkce bool
if pkceEnv, ok := os.LookupEnv("PKCE"); ok {
var err error
pkce, err = strconv.ParseBool(pkceEnv)
if err != nil {
logrus.Fatalf("error parsing PKCE %s", err.Error())
}
}
redirectURI := fmt.Sprintf("http://localhost:%v%v", port, callbackPath)
cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())
@ -73,9 +64,6 @@ func main() {
if keyPath != "" {
options = append(options, rp.WithJWTProfile(rp.SignerFromKeyPath(keyPath)))
}
if pkce {
options = append(options, rp.WithPKCE(cookieHandler))
}
// One can add a logger to the context,
// pre-defining log attributes as required.

4
example/server/exampleop/templates/login.html
View file

@ -25,5 +25,5 @@
<button type="submit">Login</button>
</form>
</body>
</html>
{{- end }}
</html>`
{{- end }}

15
example/server/storage/oidc.go
View file

@ -18,7 +18,7 @@ const (
// CustomClaim is an example for how to return custom claims with this library
CustomClaim = "custom_claim"
// CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchange
// CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchage
CustomScopeImpersonatePrefix = "custom_scope:impersonate:"
)
@ -143,14 +143,6 @@ func MaxAgeToInternal(maxAge *uint) *time.Duration {
}
func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthRequest {
var codeChallenge *OIDCCodeChallenge
if authReq.CodeChallenge != "" {
codeChallenge = &OIDCCodeChallenge{
Challenge: authReq.CodeChallenge,
Method: string(authReq.CodeChallengeMethod),
}
}
return &AuthRequest{
CreationDate: time.Now(),
ApplicationID: authReq.ClientID,
@ -165,7 +157,10 @@ func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthReques
ResponseType: authReq.ResponseType,
ResponseMode: authReq.ResponseMode,
Nonce: authReq.Nonce,
CodeChallenge: codeChallenge,
CodeChallenge: &OIDCCodeChallenge{
Challenge: authReq.CodeChallenge,
Method: string(authReq.CodeChallengeMethod),
},
}
}