From af3a497b6d7b00166977f6758f8be8ce33c064a5 Mon Sep 17 00:00:00 2001
From: Timo Volkmann <git@timovolkmann.de>
Date: Thu, 9 Sep 2021 14:31:31 +0200
Subject: [PATCH 1/2] fix: make pkce code_verifier spec compliant #125

follow recommendations for code_verifier: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
---
 pkg/client/rp/relaying_party.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/client/rp/relaying_party.go b/pkg/client/rp/relaying_party.go
index c9c7a8c..a72fa21 100644
--- a/pkg/client/rp/relaying_party.go
+++ b/pkg/client/rp/relaying_party.go
@@ -2,6 +2,7 @@ package rp
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"net/http"
 	"strings"
@@ -288,7 +289,7 @@ func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc {
 
 //GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
 func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error) {
-	codeVerifier := uuid.New().String()
+	codeVerifier := base64.URLEncoding.EncodeToString([]byte(uuid.New().String()))
 	if err := rp.CookieHandler().SetCookie(w, pkceCode, codeVerifier); err != nil {
 		return "", err
 	}

From 99812e0b8e74edd70272f846297b144cdde46282 Mon Sep 17 00:00:00 2001
From: Timo Volkmann <34778004+moximoti@users.noreply.github.com>
Date: Mon, 13 Sep 2021 13:56:38 +0200
Subject: [PATCH 2/2] pkce: encode code verifier with base64 without padding

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
---
 pkg/client/rp/relaying_party.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/client/rp/relaying_party.go b/pkg/client/rp/relaying_party.go
index a72fa21..669a910 100644
--- a/pkg/client/rp/relaying_party.go
+++ b/pkg/client/rp/relaying_party.go
@@ -289,7 +289,7 @@ func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc {
 
 //GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
 func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error) {
-	codeVerifier := base64.URLEncoding.EncodeToString([]byte(uuid.New().String()))
+	codeVerifier := base64.RawURLEncoding.EncodeToString([]byte(uuid.New().String()))
 	if err := rp.CookieHandler().SetCookie(w, pkceCode, codeVerifier); err != nil {
 		return "", err
 	}