fix: make pkce code_verifier spec compliant #125

follow recommendations for code_verifier: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
2021-09-09 14:31:31 +02:00 · 2021-09-09 14:31:31 +02:00 · af3a497b6d
commit af3a497b6d
parent 3574b211c8
1 changed files with 2 additions and 1 deletions
--- a/pkg/client/rp/relaying_party.go
+++ b/pkg/client/rp/relaying_party.go
@ -2,6 +2,7 @@ package rp

 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"net/http"
 	"strings"
@ -288,7 +289,7 @@ func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc {

 //GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
 func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error) {
-	codeVerifier := uuid.New().String()
+	codeVerifier := base64.URLEncoding.EncodeToString([]byte(uuid.New().String()))
 	if err := rp.CookieHandler().SetCookie(w, pkceCode, codeVerifier); err != nil {
 		return "", err
 	}