cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
703 commits 8 branches 227 tags 3.4 MiB
Commit graph

3 commits

Author SHA1 Message Date
ORZ (Paul Orzel)
154fbe6420 Revert "feat(op): always verify code challenge when available (#721)"
Some checks failed
Code scanning - action / CodeQL-Build (push) Failing after 2m48s
Details
Release / Go 1.23 test (push) Has been cancelled
Details
Release / Go 1.24 test (push) Has been cancelled
Details
Release / release (push) Has been cancelled
Details 
Breaks OIDC for some not yet updated applications, that we use.

This reverts commit c51628ea27.
 2025-06-20 08:44:27 +02:00
Ayato
c51628ea27
feat(op): always verify code challenge when available (#721) 
Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved.

According to the RFC:

> Authorization servers MUST support PKCE [RFC7636].
> 
> If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.

Isn’t it time we strengthen PKCE support a bit more?

This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
 2025-03-24 18:00:04 +02:00
Tim Möhlmann
2342f208ef
implement RFC 8628: Device authorization grant 2023-03-01 08:59:17 +01:00