c51628ea27
Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved. According to the RFC: > Authorization servers MUST support PKCE [RFC7636]. > > If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint. Isn’t it time we strengthen PKCE support a bit more? This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none". |
||
|---|---|---|
| .. | ||
| client.go | ||
| oidc.go | ||
| storage.go | ||
| storage_dynamic.go | ||
| token.go | ||
| user.go | ||
| user_test.go | ||