Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14977

PKCE Code challenge method for Authorization Code if not set should use plain

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.2, 14.1.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0, 6.5.0.1, 6.5.1
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: oauth2, OpenID Connect
    • Labels:
    • Target Version/s:
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When using PKCE on the authorization endpoint and code_challenge_method is not passed in, according to PKCE RFC https://tools.ietf.org/html/rfc7636

         code_challenge_method
            OPTIONAL, defaults to "plain" if not present in the request.  Code
            verifier transformation method is "S256" or "plain".
      

      However, when this done AM complains when the access_token is called with the
      code and gets

      {"error_description":"Invalid code challenge method specified.","error":"invalid_request"}
      

      How to reproduce the issue

      1. Goto a PKCE flow without passing code_challenge_method
      2. Observe the failure.

      Expected behaviour
      If no code_challenge_method is send, it is expected that the code_verifier uses plan and aso the same code_challenge should work.
      
      Current behaviour
      Currently fails to work irregardless of the code_challenge 
      

      Work around

      Pass in the code_challenge_method explicitly

      Code analysis

      Either default this to plain in AuthorizationCode or do this in AuthorizationCodeGrantTypeHandler.

      Note: OPENAM-7300 may have cause this deviation.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: