cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(op): Add mitigation for PKCE downgrade attack

Browse source
This commit is contained in:
Ayato 2025-04-29 11:53:48 +09:00
parent b917cdc2e3
commit f8c3a2c6aa
No known key found for this signature in database
GPG key ID: 56E05AE09DBA012D
2 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

9
pkg/op/token_code.go
View file

@ -80,12 +80,9 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
}
codeChallenge := request.GetCodeChallenge()
if codeChallenge != nil {
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
if err != nil {
return nil, nil, err
}
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
if err != nil {
return nil, nil, err
}
if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {

8
pkg/op/token_request.go
View file

@ -132,6 +132,14 @@ func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string,
// AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent
// code_challenge of the auth request (PKCE)
func AuthorizeCodeChallenge(codeVerifier string, challenge *oidc.CodeChallenge) error {
if challenge == nil {
if codeVerifier != "" {
return oidc.ErrInvalidRequest().WithDescription("code_verifier unexpectedly provided")
}
return nil
}
if codeVerifier == "" {
return oidc.ErrInvalidRequest().WithDescription("code_challenge required")
}