Module missing verification during code exchange #2
Comments
|
After using Also the request body is available during code exchange (without using any extension) https://github.com/jaredhanson/oauth2orize/blob/master/lib/exchange/authorizationCode.js#L106 |
|
@revant Can you pass an example what you did to get codeChallenge and codeChallengeMethod please? |
|
If anyone's wondering, you can read the code_verifier in the exchange code callback from the request body (4th argument of the callback) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to add pkce to the code flow so that a public native client can more securely exchange the code for an access token.
It appears this extension parses the two parameters for pkce upon the initial authorization redirect from the client, but does not do anything else. After looking at the oauth2orize code, it seems like we also need to extend the exchange function to include the code_challenge verification in the exchange process. Is this correct?
Should this module actually include two things: the grant extension and an exchange extension?
I may be missing something but this is what I've gathered so far after reading the oauth2orize and this pkce code.
If I'm on the right track, I might have time to work on a PR if this or at least fill in the docs some more.
The text was updated successfully, but these errors were encountered: