c51628ea27
Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved. According to the RFC: > Authorization servers MUST support PKCE [RFC7636]. > > If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint. Isn’t it time we strengthen PKCE support a bit more? This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
29 lines
876 B
HTML
29 lines
876 B
HTML
{{ define "login" -}}
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<title>Login</title>
|
|
</head>
|
|
<body style="display: flex; align-items: center; justify-content: center; height: 100vh;">
|
|
<form method="POST" action="/login/username" style="height: 200px; width: 200px;">
|
|
|
|
<input type="hidden" name="id" value="{{.ID}}">
|
|
|
|
<div>
|
|
<label for="username">Username:</label>
|
|
<input id="username" name="username" style="width: 100%">
|
|
</div>
|
|
|
|
<div>
|
|
<label for="password">Password:</label>
|
|
<input id="password" name="password" style="width: 100%">
|
|
</div>
|
|
|
|
<p style="color:red; min-height: 1rem;">{{.Error}}</p>
|
|
|
|
<button type="submit">Login</button>
|
|
</form>
|
|
</body>
|
|
</html>
|
|
{{- end }}
|