-
-
Notifications
You must be signed in to change notification settings - Fork 242
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Correctly verify PKCE secret in token endpoint
Before this change the PKCE secret would be verified only if it was sent by the client. This defeats the point of PKCE as a malicious actor which intercepted the code returned from the authorization endpoint would be able to send a request to the token endpoint without the code_verifier. This only affects public clients and is subject to the preconditions described by: https://tools.ietf.org/html/rfc7636#section-1
- Loading branch information
1 parent
935c90d
commit 8bfcd47
Showing
2 changed files
with
23 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters