feat: include PKCE code_challenge in OIDC auth redirect

Generate a code_verifier, compute its SHA-256 code_challenge, store
the verifier in sessionStorage, and append code_challenge +
code_challenge_method=S256 to the authorization URL.

Ref: #2410
This commit is contained in:
kolaente 2026-04-02 18:55:21 +02:00
parent fb8e4ea741
commit f5024e2f2c
1 changed files with 7 additions and 2 deletions

View File

@ -1,4 +1,5 @@
import {createRandomID} from '@/helpers/randomId'
import {generateCodeVerifier, generateCodeChallenge} from '@/helpers/pkce'
import type {IProvider} from '@/types/IProvider'
import {parseURL} from 'ufo'
@ -9,17 +10,21 @@ export function getRedirectUrlFromCurrentFrontendPath(provider: IProvider): stri
return `${url.protocol}//${url.host}/auth/openid/${provider.key}`
}
export const redirectToProvider = (provider: IProvider) => {
export const redirectToProvider = async (provider: IProvider) => {
const redirectUrl = getRedirectUrlFromCurrentFrontendPath(provider)
const state = createRandomID(24)
localStorage.setItem('state', state)
const codeVerifier = generateCodeVerifier()
const codeChallenge = await generateCodeChallenge(codeVerifier)
sessionStorage.setItem('pkceCodeVerifier', codeVerifier)
let scope = 'openid email profile'
if (provider.scope !== null){
scope = provider.scope
}
window.location.href = `${provider.authUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUrl}&response_type=code&scope=${scope}&state=${state}`
window.location.href = `${provider.authUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUrl}&response_type=code&scope=${scope}&state=${state}&code_challenge=${codeChallenge}&code_challenge_method=S256`
}
export const redirectToProviderOnLogout = (provider: IProvider) => {