auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon SocialConnect

OAuth2\AbstractProvider::generatePKCECodeVerifier generates code_verifier with an invalid length

Open harphield opened this issue 6 months ago • 1 comments

Per the OAuth PKCE RFC: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1

code_verifier = high-entropy cryptographic random STRING using the unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" from Section 2.3 of [RFC3986], with a minimum length of 43 characters and a maximum length of 128 characters.

But the implementation of this method in OAuth2\AbstractProvider::generatePKCECodeVerifier() handles this incorrectly.

  1. it accepts length, defaults to 128
  2. it then checks if this length is >= 43 and <= 128. So far so good.
  3. it generates random bytes with this length
  4. encodes these random bytes to base64 and returns this value

When you encode 128 bytes to base64, you will now have a string that is longer than 128.

We discovered this bug when implementing PKCE authentication with Auth0. They specifically check the length of code_verifier, and throw an error if the length is > 128 or < 43.

The valid number of bytes to generate would be 32 - 96, which then encoded to base64 will net 43 - 128.

See: https://github.com/SocialConnect/auth/blob/ee93abe90e52c431de9d2c17211529d7a43dcc4d/src/OAuth2/AbstractProvider.php#L63-L71

harphield avatar Aug 27 '25 09:08 harphield

Can you please open a pull request with the suggested fix?

ADmad avatar Aug 27 '25 11:08 ADmad