mirror/oidc
1
0
Fork 0
mirror of https://github.com/zitadel/oidc.git synced 2026-05-05 09:50:17 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
c51628ea27035796152a32631439625b55f0a7ea
oidc/pkg/op
T
History
Ayato c51628ea27 feat(op): always verify code challenge when available (#721) 
Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved.

According to the RFC:

> Authorization servers MUST support PKCE [RFC7636].
> 
> If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.

Isn’t it time we strengthen PKCE support a bit more?

This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
2025-03-24 18:00:04 +02:00
..
mock
feat: support for session_state (#712)
2025-02-24 10:50:38 +00:00
applicationtype_enumer.go
chore: add enumer for iota-defined types (#197)
2022-07-25 20:06:49 +02:00
auth_request_test.go
feat: support for session_state (#712)
2025-02-24 10:50:38 +00:00
auth_request.go
feat: support for session_state (#712)
2025-02-24 10:50:38 +00:00
client_test.go
fix tests
2024-03-06 19:08:48 +01:00
client.go
fix parse
2024-03-07 15:25:23 +01:00
config_test.go
feat(op): issuer from custom headers (#478)
2023-11-10 14:18:08 +02:00
config.go
feat: support for session_state (#712)
2025-02-24 10:50:38 +00:00
context_test.go
feat(op): dynamic issuer depending on request / host (#278)
2023-02-09 17:10:22 +01:00
context.go
chore: test all routes
2023-03-15 14:32:14 +01:00
crypto.go
upgrade this module to v3
2023-03-20 13:38:21 +02:00
device_test.go
chore: updating go to 1.24 (#726)
2025-03-14 16:12:26 +01:00
device.go
chore: updating go to 1.24 (#726)
2025-03-14 16:12:26 +01:00
discovery_test.go
feat(pkg/op): allow custom SupportedScopes (#675)
2024-11-12 15:06:24 +00:00
discovery.go
feat: support for session_state (#712)
2025-02-24 10:50:38 +00:00
endpoint_test.go
feat(op): Server interface (#447)
2023-09-28 17:30:08 +03:00
endpoint.go
feat(op): Server interface (#447)
2023-09-28 17:30:08 +03:00
error_test.go
fix(op): initialize http Headers in response objects (#637)
2024-08-21 09:34:26 +02:00
error.go
feat: support for session_state (#712)
2025-02-24 10:50:38 +00:00
form_post.html.tmpl
feat(op): Add response_mode: form_post (#551)
2024-03-05 15:04:43 +02:00
keys_test.go
feat(deps): update go-jose to v4 (#588)
2024-04-11 18:13:30 +03:00
keys.go
feat(deps): update go-jose to v4 (#588)
2024-04-11 18:13:30 +03:00
op_test.go
feat(op): always verify code challenge when available (#721)
2025-03-24 18:00:04 +02:00
op.go
feat: support for session_state (#712)
2025-02-24 10:50:38 +00:00
probes.go
feat(op): Server interface (#447)
2023-09-28 17:30:08 +03:00
server_http_routes_test.go
feat(op): always verify code challenge when available (#721)
2025-03-24 18:00:04 +02:00
server_http_test.go
feat: go 1.22 and slog migration (#557)
2024-02-28 10:44:14 +01:00
server_http.go
feat(rp): extend tracing
2024-03-06 18:38:37 +01:00
server_legacy.go
feat(op): authorize callback handler as argument in legacy server registration (#598)
2024-04-30 20:27:12 +03:00
server_test.go
feat(op): Server interface (#447)
2023-09-28 17:30:08 +03:00
server.go
fix(op): initialize http Headers in response objects (#637)
2024-08-21 09:34:26 +02:00
session.go
feat(rp): extend tracing
2024-03-06 18:38:37 +01:00
signer.go
feat(deps): update go-jose to v4 (#588)
2024-04-11 18:13:30 +03:00
storage.go
feat: add CanGetPrivateClaimsFromRequest interface (#717)
2025-03-12 14:00:29 +02:00
token_client_credentials.go
fix(op): add scope to access token scope (#664)
2024-11-13 08:49:55 +00:00
token_code.go
feat(op): always verify code challenge when available (#721)
2025-03-24 18:00:04 +02:00
token_exchange.go
feat(rp): extend tracing
2024-03-06 18:38:37 +01:00
token_intospection.go
feat(rp): extend tracing
2024-03-06 18:38:37 +01:00
token_jwt_profile.go
fix(op): add scope to access token scope (#664)
2024-11-13 08:49:55 +00:00
token_refresh.go
refactor: mark pkg/strings as deprecated in favor of stdlib (#680)
2024-11-15 18:47:32 +02:00
token_request.go
feat(rp): extend tracing
2024-03-06 18:38:37 +01:00
token_revocation.go
correct span names
2024-03-07 10:44:24 +01:00
token.go
feat: add CanGetPrivateClaimsFromRequest interface (#717)
2025-03-12 14:00:29 +02:00
userinfo.go
correct span names
2024-03-07 10:44:24 +01:00
verifier_access_token_example_test.go
upgrade this module to v3
2023-03-20 13:38:21 +02:00
verifier_access_token_test.go
feat: merge the verifier types (#336)
2023-03-22 19:18:41 +02:00
verifier_access_token.go
feat(rp): extend tracing
2024-03-06 18:38:37 +01:00
verifier_id_token_hint_test.go
fix: allow expired ID token hint to end sessions (#522)
2024-01-19 11:30:51 +01:00
verifier_id_token_hint.go
feat(rp): extend tracing
2024-03-06 18:38:37 +01:00
verifier_jwt_profile_test.go
feat: merge the verifier types (#336)
2023-03-22 19:18:41 +02:00
verifier_jwt_profile.go
feat(deps): update go-jose to v4 (#588)
2024-04-11 18:13:30 +03:00