You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all, thanks for your work :), it simplifies the OIDC connection a lot.
But it seems the openid-connect-client does not respect the RFC 7636 - section 4.1 about the PKCE.
Indeed, the RFC mentions that the code verifier should be included between 43 and 128 characters.
But the method that generates the code verifier in OIDCAuthenticationFilter generates 50 bits and converts it in hexadecimal after, which results in a code verifier of length of 12 or 13...
Incriminated method :
/**
* Create a random code challenge and store it in the session
* @param session
* @return
*/
protected static String createCodeVerifier(HttpSession session) {
String challenge = new BigInteger(50, new SecureRandom()).toString(16);
session.setAttribute(CODE_VERIFIER_SESSION_VARIABLE, challenge);
return challenge;
}
The text was updated successfully, but these errors were encountered:
module: openid-connect-client
version : 1.3.4
First of all, thanks for your work :), it simplifies the OIDC connection a lot.
But it seems the openid-connect-client does not respect the RFC 7636 - section 4.1 about the PKCE.
Indeed, the RFC mentions that the code verifier should be included between 43 and 128 characters.
But the method that generates the code verifier in
OIDCAuthenticationFiltergenerates 50 bits and converts it in hexadecimal after, which results in a code verifier of length of 12 or 13...Incriminated method :
The text was updated successfully, but these errors were encountered: