llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-02 11:20:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: Make secret optional when using PKCE (#525)

Browse Source 
Signed-off-by: Steve0x2a <stevesough@gmail.com>
This commit is contained in:
Steve0x2a
2022-03-02 13:15:14 +08:00
committed by GitHub
parent 18aa70dfb2
commit 22f5ad06ec
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
object/token.go
View File

@ -444,18 +444,27 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
// anti replay attacks
return nil, errors.New("error: authorization code has been used")
}
if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
return nil, errors.New("error: incorrect code_verifier")
}
if application.ClientSecret != clientSecret {
return nil, errors.New("error: invalid client_secret")
// when using PKCE, the Client Secret can be empty,
// but if it is provided, it must be accurate.
if token.CodeChallenge == "" {
return nil, errors.New("error: invalid client_secret")
} else {
if clientSecret != "" {
return nil, errors.New("error: invalid client_secret")
}
}
}
if application.Name != token.Application {
return nil, errors.New("error: the token is for wrong application (client_id)")
}
if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
return nil, errors.New("error: incorrect code_verifier")
}
if time.Now().Unix() > token.CodeExpireIn {
// code must be used within 5 minutes
return nil, errors.New("error: authorization code has expired")