oidc icon indicating copy to clipboard operation
oidc copied to clipboard
verified publisher icon zitadel

[Bug]: v3.37.0 broke some of our clients

Open muir opened this issue 6 months ago • 2 comments

Preflight Checklist

  • [x] I could not find a solution in the documentation, the existing issues or discussions
  • [x] I have joined the ZITADEL chat

Version

v3.32.1

Describe the problem caused by this bug

A dependency upgrade from v3.32.1 -> v3.39.1 caused a production breakage. I've traced it to #721

And this request:

[AUTH-HTTP] POST /auth/oidc/op/Customer/oauth/token -> 400 id:9e342164-4c4b-49df-b937-220c8d8b0c33
Request Headers:
map["Accept-Encoding":["gzip"] "Authorization":["REDACTED/K80vJh6Y"] "Content-Length":["188"] "Content-Type":["application/x-www-form-urlencoded"] "User-Agent":["Go-http-client/1.1"] "X-Forwarded-For":["52.207.181.130"] "X-Forwarded-Host":["authsvc-staging.singlestore.com"] "X-Forwarded-Port":["443"] "X-Forwarded-Proto":["https"] "X-Forwarded-Scheme":["https"] "X-Real-Ip":["52.207.181.130"] "X-Request-Id":["b3ddcaad354e8c75929f5fc9b8f8c151"] "X-Scheme":["https"]]
Request Body:
code=REDACTED%2FV8869lo%2B&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fmonitor-staging.singlestore.com%2Flogin%2Fgeneric_oauth
Response Headers:
map["Access-Control-Allow-Origin":["*"] "Cache-Control":["no-cache, no-store, must-revalidate"] "Content-Type":["application/json"] "Expires":["0"] "X-Content-Type-Options":["nosniff"]]
Response Body:
{"error":"invalid_request","error_description":"code_challenge required"}
--

I am continuing to debug and will update this bug with a PR when I've figured it out.

Multiple clients broke. One of them was grafana.

To reproduce

TBD

Screenshots

No response

Expected behavior

No response

Additional Context

No response

muir avatar Jul 09 '25 23:07 muir

Okay, so this is a bug in my code, not zitadel/oidc.

My code was returning a *oidc.CodeChallenge struct with an empty Challenge sometimes.

This library could ignore such non-nil values. Or not? Change it for backwards compatibility? Or close this as a non-bug?

We should at least document that a nil return is okay and that a non-nil return must have a Challenge set.

muir avatar Jul 11 '25 00:07 muir

You can send a documentation PR if you want. I do think #721 was a correct addition to the library. If for some reasons your code return empty Challenge might that be a security bug, previously silently ignored?

muhlemmer avatar Aug 04 '25 11:08 muhlemmer