cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/example/server/exampleop
History
Ayato c51628ea27
feat(op): always verify code challenge when available (#721) 
Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved.

According to the RFC:

> Authorization servers MUST support PKCE [RFC7636].
> 
> If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.

Isn’t it time we strengthen PKCE support a bit more?

This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
2025-03-24 18:00:04 +02:00
..
templates feat(op): always verify code challenge when available (#721) 2025-03-24 18:00:04 +02:00
device.go chore(op): upgrade go-chi/chi to v5 (#462) 2023-10-16 11:02:56 +02:00
login.go chore(op): upgrade go-chi/chi to v5 (#462) 2023-10-16 11:02:56 +02:00
op.go feat: Define redirect uris with env variables (#644) 2024-09-03 08:13:06 +00:00
templates.go implement RFC 8628: Device authorization grant 2023-03-01 08:59:17 +01:00