Fix oauth2 s256 (#36462)

2026-01-30 21:02:34 +01:00 · 2026-01-27 21:42:07 -08:00 · 2026-01-27 21:42:07 -08:00 · bf8d11bb21
commit bf8d11bb21
parent 224b7881d9
2 changed files with 40 additions and 2 deletions
--- a/routers/web/auth/oauth2_provider.go
+++ b/routers/web/auth/oauth2_provider.go
@ -230,8 +230,7 @@ func AuthorizeOAuth(ctx *context.Context) {

 	// pkce support
 	switch form.CodeChallengeMethod {
-	case "S256":
-	case "plain":
+	case "S256", "plain":
 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
 			handleAuthorizeError(ctx, AuthorizeError{
 				ErrorCode:        ErrorCodeServerError,
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@ -10,6 +10,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"strings"
 	"testing"

@ -94,6 +95,44 @@ func TestAuthorizeShow(t *testing.T) {
 	AssertHTMLElement(t, htmlDoc, "#authorize-app", true)
 }

+func TestAuthorizeGrantS256RequiresVerifier(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	ctx := loginUser(t, "user4")
+	codeChallenge := "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg"
+	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate&code_challenge_method=S256&code_challenge="+url.QueryEscape(codeChallenge))
+	resp := ctx.MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	AssertHTMLElement(t, htmlDoc, "#authorize-app", true)
+
+	grantReq := NewRequestWithValues(t, "POST", "/login/oauth/grant", map[string]string{
+		"client_id":    "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"state":        "thestate",
+		"scope":        "",
+		"nonce":        "",
+		"redirect_uri": "a",
+		"granted":      "true",
+	})
+	grantResp := ctx.MakeRequest(t, grantReq, http.StatusSeeOther)
+	u, err := grantResp.Result().Location()
+	assert.NoError(t, err)
+	code := u.Query().Get("code")
+	assert.NotEmpty(t, code)
+
+	accessReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "authorization_code",
+		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "a",
+		"code":          code,
+	})
+	accessResp := MakeRequest(t, accessReq, http.StatusBadRequest)
+	parsedError := new(oauth2_provider.AccessTokenError)
+	assert.NoError(t, json.Unmarshal(accessResp.Body.Bytes(), parsedError))
+	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
+	assert.Equal(t, "failed PKCE code challenge", parsedError.ErrorDescription)
+}
+
 func TestAuthorizeRedirectWithExistingGrant(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=https%3A%2F%2Fexample.com%2Fxyzzy&response_type=code&state=thestate")