cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(op): Add mitigation for PKCE Downgrade Attack (#741)

Browse source 
* fix(op): Add mitigation for PKCE downgrade attack

* chore(op): add test for PKCE verification
This commit is contained in:
Ayato 2025-04-29 23:33:31 +09:00 committed by GitHub
parent 5913c5a074
commit 4f0ed79c0a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 88 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

12
pkg/op/token_request.go
View file

@ -132,11 +132,19 @@ func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string,
// AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent
// code_challenge of the auth request (PKCE)
func AuthorizeCodeChallenge(codeVerifier string, challenge *oidc.CodeChallenge) error {
if challenge == nil {
if codeVerifier != "" {
return oidc.ErrInvalidRequest().WithDescription("code_verifier unexpectedly provided")
}
return nil
}
if codeVerifier == "" {
return oidc.ErrInvalidRequest().WithDescription("code_challenge required")
return oidc.ErrInvalidRequest().WithDescription("code_verifier required")
}
if !oidc.VerifyCodeChallenge(challenge, codeVerifier) {
return oidc.ErrInvalidGrant().WithDescription("invalid code challenge")
return oidc.ErrInvalidGrant().WithDescription("invalid code_verifier")
}
return nil
}