actix-web-oauth2
actix-web-oauth2 copied to clipboard
Published
20 hours ago •
pka
pka
[security] incomplete pkce code verification process
trafficstars
Hi there,
This example repo appears to have a security flaw.
During the login process, you call set_pkce_challenge during the initial oauth call, however during exchange_code, you do not call set_pkce_verifier. This means that a strict oauth server can not proceed to validate the pkce values which means the token retrieval will fail.
https://docs.rs/oauth2/4.0.0/oauth2/struct.CodeTokenRequest.html#method.set_pkce_verifier
Additionally, can you please confirm if your example site still works on gitlab? If so, then we need to inform gitlab that they may not be verifying pkce correctly.