feat(op): always verify code challenge when available (#721)

Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved. According to the RFC: > Authorization servers MUST support PKCE [RFC7636]. > > If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint. Isn’t it time we strengthen PKCE support a bit more? This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
2025-03-25 01:00:04 +09:00 · 2025-03-25 01:00:04 +09:00 · c51628ea27
commit c51628ea27
parent 7096406e71
6 changed files with 45 additions and 15 deletions
--- a/example/server/exampleop/templates/login.html
+++ b/example/server/exampleop/templates/login.html
@ -25,5 +25,5 @@
            <button type="submit">Login</button>
        </form>
    </body>
-</html>`
-{{- end }}
+</html>
+{{- end }}