Skip to content

Commit

Permalink
Merge pull request from GHSA-rw54-6826-c8j5
Browse files Browse the repository at this point in the history 
* Oauth2 replay attack mitigation for PKCE

* Oauth2 PKCE downgrate attack mitigation

* Updated changelog for GHSA-rw54-6826-c8j5
  • Loading branch information
@rhertogh
rhertogh authored Dec 16, 2023
1 parent 0d1c388 commit 721ed97
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ Yii Framework 2 authclient extension Change Log
------------------------

- Bug #364: Use issuer claim from OpenID Configuration (radwouters)
- Enh: #367: Throw more specific `ClientErrorResponseException` when the response code in `BaseOAuth::sendRequest()` is a 4xx (rhertogh)
- Enh #367: Throw more specific `ClientErrorResponseException` when the response code in `BaseOAuth::sendRequest()` is a 4xx (rhertogh)
- Enh GHSA-rw54-6826-c8j5: Improved security for OAuth2 client by requiring an `authCodeVerifier` if PKCE is enabled and clearing it after usage (rhertogh)


2.2.14 November 18, 2022
Expand Down
9 changes: 8 additions & 1 deletion src/OAuth2.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,14 @@ public function fetchAccessToken($authCode, array $params = [])
];

if ($this->enablePkce) {
$defaultParams['code_verifier'] = $this->getState('authCodeVerifier');
$authCodeVerifier = $this->getState('authCodeVerifier');
if (empty($authCodeVerifier)) {
// Prevent PKCE Downgrade Attack
// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-pkce-downgrade-attack
throw new HttpException(409, 'Invalid auth code verifier.');
}
$defaultParams['code_verifier'] = $authCodeVerifier;
$this->removeState('authCodeVerifier');
}

$request = $this->createRequest()
Expand Down

0 comments on commit 721ed97

Please sign in to comment.