pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refuse to deliver token if code_verifier is present without code challenge

Browse Source
This commit is contained in:
Pierre HUBERT 2022-04-20 09:52:00 +02:00
parent d7344feb9b
commit 0e02b63d93
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/controllers/openid_controller.rs
View File

@ -319,9 +319,10 @@ pub async fn token(req: HttpRequest,
if !chall.verify_code(code_verifier) {
return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
}
} else if q.code_verifier.is_some() {
return Ok(error_response(&query, "invalid_grant", "Unexpected `code_verifier` parameter!"));
}
if session.access_token.is_some() {
return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
}