Skip to content

Fix PKCE credentials not being captured during authorize requests #707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 20, 2019
Merged

Fix PKCE credentials not being captured during authorize requests #707

merged 2 commits into from
Apr 20, 2019

Conversation

Maronato
Copy link
Contributor

PKCE credentials are not being captured during GET authorize requests. oauthlib should(?) return code_challenge and code_challenge_method from grant_types.authorization_code.validate_authorization_request.

@JonathanHuot, if oauthlib does not return them, clients using oauthlib must capture them manually. Is that intended?

@auvipy
Copy link
Contributor

auvipy commented Apr 19, 2019

somewhat weired

@Maronato Maronato mentioned this pull request Apr 19, 2019
Merged
@coveralls
Copy link

coveralls commented Apr 19, 2019
edited
Loading

Pull Request Test Coverage Report for Build 1094

  • 4 of 4 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.008%) to 94.565%
Totals Coverage Status
Change from base Build 1085: 0.008%
Covered Lines: 1218
Relevant Lines: 1288
💛 - Coveralls

@Maronato
Copy link
Contributor Author

somewhat weired

What you think is weird?

@JonathanHuot
Copy link
Contributor

JonathanHuot commented Apr 19, 2019
edited
Loading

Hi @Maronato, oauthlib should receive the full request (method, uri, headers, payload). So if oauthlib receives correctly code_challenge & code_challenge_method in the URI, then it should works.

Do you know if DOT is filtering the list of fields before sending them to oauthlib ?

Also, do you have specific use-case/issue to how reproduce it ?

@JonathanHuot JonathanHuot mentioned this pull request Apr 19, 2019
Closed
@JonathanHuot
Copy link
Contributor

JonathanHuot commented Apr 19, 2019
edited
Loading

Ahhh sorry I think I get it. Yes, you're right, it should be added into oauthlib's validate_authorization_request request_info response.

I can fix it in oauthlib.

@Maronato Maronato requested a review from auvipy April 19, 2019 21:52
auvipy
auvipy approved these changes Apr 20, 2019
View reviewed changes
Copy link
Contributor

@auvipy auvipy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perfect.

@auvipy auvipy merged commit 2fdb0fe into django-oauth:master Apr 20, 2019
This was referenced Apr 26, 2019
Closed
Merged
@JonathanHuot
Copy link
Contributor

Hi @Maronato, any chances to test oauthlib/oauthlib#671 before releasing it ? Thx

@Maronato
Copy link
Contributor Author

Just tested it and it seems to be working fine, @JonathanHuot! Let me know when oauthlib/oauthlib#671 is released so I can revert the workaround.

@darvids0n
Copy link

FYI, the latest oauthlib includes these changes. https://github.com/oauthlib/oauthlib/tree/v3.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@auvipy auvipy auvipy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Maronato @auvipy @coveralls @JonathanHuot @darvids0n