From 4c565537e4afe14297f0b1d22215895c2f783a40 Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 2 Apr 2026 18:55:31 +0200 Subject: [PATCH] feat: send PKCE code_verifier during OIDC token exchange Retrieve the stored code_verifier from sessionStorage and include it in the callback POST body so the backend can verify the PKCE challenge. Ref: #2410 --- frontend/src/stores/auth.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/frontend/src/stores/auth.ts b/frontend/src/stores/auth.ts index f79003b67..ff965ec54 100644 --- a/frontend/src/stores/auth.ts +++ b/frontend/src/stores/auth.ts @@ -243,9 +243,13 @@ export const useAuthStore = defineStore('auth', () => { const fullProvider: IProvider = configStore.auth.openidConnect.providers.find((p: IProvider) => p.key === provider) + const codeVerifier = sessionStorage.getItem('pkceCodeVerifier') + sessionStorage.removeItem('pkceCodeVerifier') + const data = { code: code, redirect_url: getRedirectUrlFromCurrentFrontendPath(fullProvider), + ...(codeVerifier && {code_verifier: codeVerifier}), } // Delete an eventually preexisting old token