feat(oauth): Implement PKCE (S256) and enforce redirect_uri binding #99452
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RFCs: - RFC 7636 (PKCE): §4.1/§4.2/§4.3/§4.4/§4.6 - RFC 6749 (OAuth 2.0): §4.1.3 (redirect_uri binding) - OAuth 2.1 draft (draft-ietf-oauth-v2-1-13) Changes: - Model/migration: add ApiGrant.code_challenge + code_challenge_method (nullable) - Authorization: accept + persist code_challenge(+_method); default S256; deny plain by default - Token: require code_verifier when grant has challenge; length/charset per RFC 7636; S256 verification; optional plain behind flag - Token: enforce redirect_uri equality when stored on grant (no fallback) - Tests: S256 happy path; missing/mismatch/length/charset; optional plain; redirect binding Notes: - Local constants gate plain method; discovery metadata excluded (separate task) - No implicit flow changes; non-cacheable responses preserved Refs: #99002
…etrics - v0: log warnings when redirect_uri fallback or missing PKCE verifier are used - v1: unchanged strict behavior RFCs: RFC 7636; RFC 6749 §4.1.3 Refs: #99002
Contributor
|
This PR has a migration; here is the generated SQL for for --
-- Add field code_challenge to apigrant
--
ALTER TABLE "sentry_apigrant" ADD COLUMN "code_challenge" varchar(128) NULL;
--
-- Add field code_challenge_method to apigrant
--
ALTER TABLE "sentry_apigrant" ADD COLUMN "code_challenge_method" varchar(10) NULL; |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
…rsion - v1: reject code_challenge_method=plain at authorize and token - v0: allow plain for compatibility - Update tests to switch app version for plain success path RFCs: RFC 7636 (PKCE); RFC 6749 §4.1.3 Refs: #99002
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #99452 +/- ##
==========================================
- Coverage 81.32% 81.21% -0.11%
==========================================
Files 8590 8584 -6
Lines 382261 380205 -2056
Branches 24106 24106
==========================================
- Hits 310864 308778 -2086
- Misses 71051 71081 +30
Partials 346 346 |
Member
Author
|
This one will need a bit more thorough of a review. 2.1 changes the hard requirements so once again we're not enforcing these til version=1. Will give it another pass myself |
mdtro
reviewed
Sep 15, 2025
mdtro
reviewed
Sep 18, 2025
mdtro
reviewed
Sep 18, 2025
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Member
Author
|
I'm going to redo this patch from scratch given the model changes, but working on this now. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
RFCs:
Changes:
Notes:
Refs: #99002