fix: pass PKCE code_verifier to OIDC provider during token exchange
The frontend sends the code_verifier in the callback request, but the backend was not forwarding it to the OIDC provider's token endpoint. This caused Dex (and any PKCE-aware provider) to reject the token exchange with "Expecting parameter code_verifier in PKCE flow."
This commit is contained in:
parent
4c565537e4
commit
f24b15c6e9
|
|
@ -44,9 +44,10 @@ import (
|
||||||
|
|
||||||
// Callback contains the callback after an auth request was made and redirected
|
// Callback contains the callback after an auth request was made and redirected
|
||||||
type Callback struct {
|
type Callback struct {
|
||||||
Code string `query:"code" json:"code"`
|
Code string `query:"code" json:"code"`
|
||||||
Scope string `query:"scope" json:"scope"`
|
Scope string `query:"scope" json:"scope"`
|
||||||
RedirectURL string `json:"redirect_url"`
|
RedirectURL string `json:"redirect_url"`
|
||||||
|
CodeVerifier string `json:"code_verifier"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Provider is the structure of an OpenID Connect provider
|
// Provider is the structure of an OpenID Connect provider
|
||||||
|
|
@ -468,7 +469,11 @@ func getProviderAndOidcTokens(c *echo.Context) (*Provider, *oauth2.Token, *oidc.
|
||||||
|
|
||||||
provider.Oauth2Config.RedirectURL = cb.RedirectURL
|
provider.Oauth2Config.RedirectURL = cb.RedirectURL
|
||||||
// Parse the access & ID token
|
// Parse the access & ID token
|
||||||
oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code)
|
var exchangeOpts []oauth2.AuthCodeOption
|
||||||
|
if cb.CodeVerifier != "" {
|
||||||
|
exchangeOpts = append(exchangeOpts, oauth2.SetAuthURLParam("code_verifier", cb.CodeVerifier))
|
||||||
|
}
|
||||||
|
oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code, exchangeOpts...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
var rerr *oauth2.RetrieveError
|
var rerr *oauth2.RetrieveError
|
||||||
if errors.As(err, &rerr) {
|
if errors.As(err, &rerr) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue