sources/oauth: Make PKCE verifier 128 characters (#17763)

* sources/oauth: Make PKCE verifier 128 characters

The PKCE spec requires the code verifier to be 43-128 characters
inclusive[^1].

The default `length` argument to `generate_id` is 40 characters, which
meant the verifier is always shorter than required by the spec.
This could cause issues integrating authentik with PKCE-compliant OIDC
providers.

[^1]: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1

* add length test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

Author: 2 people

authentik/sources/oauth/clients/oauth2.py

@@ -143,7 +143,7 @@ def get_redirect_args(self) -> dict[str, str]:
         if self.source.source_type.urls_customizable and self.source.pkce:
             pkce_mode = self.source.pkce
         if pkce_mode != PKCEMethod.NONE:
-            verifier = generate_id()
+            verifier = generate_id(length=128)
             self.request.session[SESSION_KEY_OAUTH_PKCE] = verifier
             # https://datatracker.ietf.org/doc/html/rfc7636#section-4.2
             if pkce_mode == PKCEMethod.PLAIN:

authentik/sources/oauth/tests/test_views.py

@@ -205,6 +205,7 @@ def test_source_redirect_pkce(self):
         session = self.client.session
         state = session[f"oauth-client-{self.source.name}-request-state"]
         verifier = session[SESSION_KEY_OAUTH_PKCE]
+        self.assertEqual(len(verifier), 128)
         challenge = pkce_s256_challenge(verifier)
 
         self.assertEqual(qs["redirect_uri"], ["http://testserver/source/oauth/callback/test/"])