It seems it's fully optional right now:
|
// optional: PKCE code challenge |
|
|
|
if (code.codeChallenge) { |
|
if (!request.body.code_verifier) { |
|
throw new InvalidGrantError('Missing parameter: `code_verifier`'); |
|
} |
|
|
|
const hash = pkce.getHashForCodeChallenge({ |
|
method: code.codeChallengeMethod, |
|
verifier: request.body.code_verifier |
|
}); |
|
|
|
if (!hash) { |
|
// notice that we assume that codeChallengeMethod is already |
|
// checked at an earlier stage when being read from |
|
// request.body.code_challenge_method |
|
throw new ServerError('Server error: `getAuthorizationCode()` did not return a valid `codeChallengeMethod` property'); |
|
} |
|
|
|
if (code.codeChallenge !== hash) { |
|
throw new InvalidGrantError('Invalid grant: code verifier is invalid'); |
|
} |
|
} |
Could be great if there's an option to force it. Of course one can block the request manually by checking the query, though.
It seems it's fully optional right now:
node-oauth2-server/lib/grant-types/authorization-code-grant-type.js
Lines 122 to 144 in c993eb5
Could be great if there's an option to force it. Of course one can block the request manually by checking the query, though.