requests-oauthlib icon indicating copy to clipboard operation
requests-oauthlib copied to clipboard

Published 20 hours ago verified publisher icon requests

Can you please add the ability to retrieve and provide the code verifier

Open Colin-b opened this issue 1 year ago • 3 comments

Right now, the auth code PKCE flow is using a code verifier generated when creating the authorization url.

This is fine, however I want to be able to use another OAuth2Session instance when requesting the token. To do so, I need to be able to get the code verifier that was generated, and provide it as a parameter to the fetch_token.

I can manage for now by accessing the private _code_verifier attribute, but I would like to rely on an interface that is not supposed to change without a new major release.

Thanks again

Colin-b avatar Jul 04 '24 17:07 Colin-b

I also meet this same situation. In webapplication flow seems use another OAuth2Session instance when requesting the token is required. Hope code verifier can provided it as a parameter to the fetch_token.

Xavierhahaha avatar Jul 23 '24 06:07 Xavierhahaha

Honestly, I don't even feel comfortable with pulling the code verifier out of client._code_verifier, since it is obviously meant as private property. This, IMHO, makes it impossible right now to perform Authorization Code Flow with PKCE support by redirecting the user to the providers login and consent page, since you are not able to get the code verifier out of the OAuth2Session instance and save it e.g. in the users session. At least not without violating the said practice of not accessing a private property from outside the class.

So it would also be a very nice addition to the lib, if you could access the generated code verifier with a getter method.

derCeddel avatar Mar 25 '25 03:03 derCeddel

Running into this as well - it's not possible to reinitialize a new session to use PKCE flow right now because you need to share the code verifier between hops. We need an API to pull it out and use it in the second OAuth2Session being created for the fetch_token API in the OAuth2 redirect endpoint.

Basically have to do the following in the authorization endpoint:

def start_login_endpoint(request):
    state = get_csrf_token(request)
    oauth_session = OAuth2Session(client_id=client_id, scope=scope, redirect_uri=redirect_uri, state=state, pkce="S256", ...)
    authorization_url, state = oauth_session.authorization_url(oidc_authorization_url, **kw)
    request.session['code_verifier'] = oauth_session._code_verifier  # <-- save the verifier
    return HTTPSeeOther(authorization_url)

And then the following in the redirect endpoint:

def redirect_endpoint(request):
    state = get_csrf_token(request)
    oauth_session = OAuth2Session(client_id=client_id, scope=scope, redirect_uri=redirect_uri, state=state, pkce="S256", ...)
    oauth_session._code_verifier = request.session['code_verifier']  # <-- restore the verifier
    oauth_session.fetch_token(oidc_token_url, authorization_response=request.url)

I'd expect instead to be able to supply it to the OAuthSession.__init__ similar to how you supply the client_secret in non-PKCE flows.

mmerickel avatar Apr 23 '25 20:04 mmerickel

Just ran into this issue as well and I'm doing what @mmerickel is doing. Feels dangerous reaching for a private member, so I'm pinning the version until this gets a resolution.

gdtrice avatar Nov 04 '25 03:11 gdtrice