From f24b15c6e953ecfd81ac611143bacc4be11c044a Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 3 Apr 2026 18:20:39 +0200 Subject: [PATCH] fix: pass PKCE code_verifier to OIDC provider during token exchange The frontend sends the code_verifier in the callback request, but the backend was not forwarding it to the OIDC provider's token endpoint. This caused Dex (and any PKCE-aware provider) to reject the token exchange with "Expecting parameter code_verifier in PKCE flow." --- pkg/modules/auth/openid/openid.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/pkg/modules/auth/openid/openid.go b/pkg/modules/auth/openid/openid.go index a5e01605d..4ee5e9ad2 100644 --- a/pkg/modules/auth/openid/openid.go +++ b/pkg/modules/auth/openid/openid.go @@ -44,9 +44,10 @@ import ( // Callback contains the callback after an auth request was made and redirected type Callback struct { - Code string `query:"code" json:"code"` - Scope string `query:"scope" json:"scope"` - RedirectURL string `json:"redirect_url"` + Code string `query:"code" json:"code"` + Scope string `query:"scope" json:"scope"` + RedirectURL string `json:"redirect_url"` + CodeVerifier string `json:"code_verifier"` } // Provider is the structure of an OpenID Connect provider @@ -468,7 +469,11 @@ func getProviderAndOidcTokens(c *echo.Context) (*Provider, *oauth2.Token, *oidc. provider.Oauth2Config.RedirectURL = cb.RedirectURL // Parse the access & ID token - oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code) + var exchangeOpts []oauth2.AuthCodeOption + if cb.CodeVerifier != "" { + exchangeOpts = append(exchangeOpts, oauth2.SetAuthURLParam("code_verifier", cb.CodeVerifier)) + } + oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code, exchangeOpts...) if err != nil { var rerr *oauth2.RetrieveError if errors.As(err, &rerr) {