zitadel-oidc

cim/zitadel-oidc

Fork 0

Commit graph

Author	SHA1	Message	Date
Ayato	c51628ea27	feat(op): always verify code challenge when available (#721 ) Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved. According to the RFC: > Authorization servers MUST support PKCE [RFC7636]. > > If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint. Isn’t it time we strengthen PKCE support a bit more? This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".	2025-03-24 18:00:04 +02:00
Tim Möhlmann	2342f208ef	implement RFC 8628: Device authorization grant	2023-03-01 08:59:17 +01:00

Author

SHA1

Message

Date

Ayato

c51628ea27

feat(op): always verify code challenge when available (#721 )

Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved.

According to the RFC:

> Authorization servers MUST support PKCE [RFC7636].
> 
> If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.

Isn’t it time we strengthen PKCE support a bit more?

This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".

2025-03-24 18:00:04 +02:00

Tim Möhlmann

2342f208ef

implement RFC 8628: Device authorization grant

2023-03-01 08:59:17 +01:00

2 commits