fix: pass PKCE code_verifier to OIDC provider during token exchange
The frontend sends the code_verifier in the callback request, but the backend was not forwarding it to the OIDC provider's token endpoint. This caused Dex (and any PKCE-aware provider) to reject the token exchange with "Expecting parameter code_verifier in PKCE flow."
This commit is contained in:
parent
4c565537e4
commit
f24b15c6e9
|
|
@ -47,6 +47,7 @@ type Callback struct {
|
|||
Code string `query:"code" json:"code"`
|
||||
Scope string `query:"scope" json:"scope"`
|
||||
RedirectURL string `json:"redirect_url"`
|
||||
CodeVerifier string `json:"code_verifier"`
|
||||
}
|
||||
|
||||
// Provider is the structure of an OpenID Connect provider
|
||||
|
|
@ -468,7 +469,11 @@ func getProviderAndOidcTokens(c *echo.Context) (*Provider, *oauth2.Token, *oidc.
|
|||
|
||||
provider.Oauth2Config.RedirectURL = cb.RedirectURL
|
||||
// Parse the access & ID token
|
||||
oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code)
|
||||
var exchangeOpts []oauth2.AuthCodeOption
|
||||
if cb.CodeVerifier != "" {
|
||||
exchangeOpts = append(exchangeOpts, oauth2.SetAuthURLParam("code_verifier", cb.CodeVerifier))
|
||||
}
|
||||
oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code, exchangeOpts...)
|
||||
if err != nil {
|
||||
var rerr *oauth2.RetrieveError
|
||||
if errors.As(err, &rerr) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue