From f8c3a2c6aa8fb3e586744a49be946cae2e22346e Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Tue, 29 Apr 2025 11:53:48 +0900
Subject: [PATCH] fix(op): Add mitigation for PKCE downgrade attack

---
 pkg/op/token_code.go    | 9 +++------
 pkg/op/token_request.go | 8 ++++++++
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/pkg/op/token_code.go b/pkg/op/token_code.go
index 019aa63..fb636b4 100644
--- a/pkg/op/token_code.go
+++ b/pkg/op/token_code.go
@@ -80,12 +80,9 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 	}
 
 	codeChallenge := request.GetCodeChallenge()
-	if codeChallenge != nil {
-		err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
-
-		if err != nil {
-			return nil, nil, err
-		}
+	err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
+	if err != nil {
+		return nil, nil, err
 	}
 
 	if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
diff --git a/pkg/op/token_request.go b/pkg/op/token_request.go
index 85e2270..195c39c 100644
--- a/pkg/op/token_request.go
+++ b/pkg/op/token_request.go
@@ -132,6 +132,14 @@ func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string,
 // AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent
 // code_challenge of the auth request (PKCE)
 func AuthorizeCodeChallenge(codeVerifier string, challenge *oidc.CodeChallenge) error {
+	if challenge == nil {
+		if codeVerifier != "" {
+			return oidc.ErrInvalidRequest().WithDescription("code_verifier unexpectedly provided")
+		}
+
+		return nil
+	}
+
 	if codeVerifier == "" {
 		return oidc.ErrInvalidRequest().WithDescription("code_challenge required")
 	}