fix: pass PKCE code_verifier to OIDC provider during token exchange

The frontend sends the code_verifier in the callback request, but the
backend was not forwarding it to the OIDC provider's token endpoint.
This caused Dex (and any PKCE-aware provider) to reject the token
exchange with "Expecting parameter code_verifier in PKCE flow."
This commit is contained in:
kolaente 2026-04-03 18:20:39 +02:00
parent 4c565537e4
commit f24b15c6e9
1 changed files with 9 additions and 4 deletions

View File

@ -44,9 +44,10 @@ import (
// Callback contains the callback after an auth request was made and redirected
type Callback struct {
Code string `query:"code" json:"code"`
Scope string `query:"scope" json:"scope"`
RedirectURL string `json:"redirect_url"`
Code string `query:"code" json:"code"`
Scope string `query:"scope" json:"scope"`
RedirectURL string `json:"redirect_url"`
CodeVerifier string `json:"code_verifier"`
}
// Provider is the structure of an OpenID Connect provider
@ -468,7 +469,11 @@ func getProviderAndOidcTokens(c *echo.Context) (*Provider, *oauth2.Token, *oidc.
provider.Oauth2Config.RedirectURL = cb.RedirectURL
// Parse the access & ID token
oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code)
var exchangeOpts []oauth2.AuthCodeOption
if cb.CodeVerifier != "" {
exchangeOpts = append(exchangeOpts, oauth2.SetAuthURLParam("code_verifier", cb.CodeVerifier))
}
oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code, exchangeOpts...)
if err != nil {
var rerr *oauth2.RetrieveError
if errors.As(err, &rerr) {