-
-
Notifications
You must be signed in to change notification settings - Fork 54
Open
Assignees
@saschanaz
Description
It seems it's fully optional right now:
node-oauth2-server/lib/grant-types/authorization-code-grant-type.js
Lines 122 to 144 in c993eb5
// optional: PKCE code challenge
if (code.codeChallenge) {
if (!request.body.code_verifier) {
throw new InvalidGrantError('Missing parameter: `code_verifier`');
}
const hash = pkce.getHashForCodeChallenge({
method: code.codeChallengeMethod,
verifier: request.body.code_verifier
});
if (!hash) {
// notice that we assume that codeChallengeMethod is already
// checked at an earlier stage when being read from
// request.body.code_challenge_method
throw new ServerError('Server error: `getAuthorizationCode()` did not return a valid `codeChallengeMethod` property');
}
if (code.codeChallenge !== hash) {
throw new InvalidGrantError('Invalid grant: code verifier is invalid');
}
}
Could be great if there's an option to force it. Of course one can block the request manually by checking the query, though.