sources/oauth: Make PKCE verifier 128 characters (cherry-pick #17763 to version-2025.10) (#17765)

Co-authored-by: Alex Whitehead-Smith <alex.me.smith@gmail.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

Author: 3 people

authentik/sources/oauth/clients/oauth2.py

@@ -143,7 +143,7 @@ def get_redirect_args(self) -> dict[str, str]:
         if self.source.source_type.urls_customizable and self.source.pkce:
             pkce_mode = self.source.pkce
         if pkce_mode != PKCEMethod.NONE:
-            verifier = generate_id()
+            verifier = generate_id(length=128)
             self.request.session[SESSION_KEY_OAUTH_PKCE] = verifier
             # https://datatracker.ietf.org/doc/html/rfc7636#section-4.2
             if pkce_mode == PKCEMethod.PLAIN:

authentik/sources/oauth/tests/test_views.py

@@ -205,6 +205,7 @@ def test_source_redirect_pkce(self):
         session = self.client.session
         state = session[f"oauth-client-{self.source.name}-request-state"]
         verifier = session[SESSION_KEY_OAUTH_PKCE]
+        self.assertEqual(len(verifier), 128)
         challenge = pkce_s256_challenge(verifier)
 
         self.assertEqual(qs["redirect_uri"], ["http://testserver/source/oauth/callback/test/"])