sources/oauth: Make PKCE verifier 128 characters #17763
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The PKCE spec requires the code verifier to be 43-128 characters inclusive[^1]. The default `length` argument to `generate_id` is 40 characters, which meant the verifier is always shorter than required by the spec. This could cause issues integrating authentik with PKCE-compliant OIDC providers. [^1]: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
✅ Deploy Preview for authentik-docs canceled.
|
✅ Deploy Preview for authentik-integrations canceled.
|
✅ Deploy Preview for authentik-storybook canceled.
|
BeryJu
added
area:backend
backport/version-2025.10
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
BeryJu
approved these changes
Oct 28, 2025
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #17763 +/- ##
==========================================
- Coverage 92.97% 92.88% -0.09%
==========================================
Files 869 869
Lines 47949 47950 +1
==========================================
- Hits 44582 44540 -42
- Misses 3367 3410 +43
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
authentik-automation bot
pushed a commit
that referenced
this pull request
Oct 28, 2025
* sources/oauth: Make PKCE verifier 128 characters The PKCE spec requires the code verifier to be 43-128 characters inclusive[^1]. The default `length` argument to `generate_id` is 40 characters, which meant the verifier is always shorter than required by the spec. This could cause issues integrating authentik with PKCE-compliant OIDC providers. [^1]: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 * add length test Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Contributor
|
🍒 Cherry-pick to |
rissson
pushed a commit
that referenced
this pull request
Oct 28, 2025
…to version-2025.10) (#17765) Co-authored-by: Alex Whitehead-Smith <alex.me.smith@gmail.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
kensternberg-authentik
added a commit
that referenced
this pull request
Nov 10, 2025
* main: (28 commits) ci: use hashes for actions everywhere (#17803) website/integrations: fixed paperless-ngx yml syntax issue and added additional info (#17739) core, web: update translations (#17782) ci: rework internal repo (#17797) root: use hashes for dockerfile FROM (#17795) web: bump validator from 13.15.15 to 13.15.20 in /packages/prettier-config (#17776) tasks: delay startup signals (#17769) website: bump the build group in /website with 6 updates (#17712) core, web: update translations (#17660) web: bump vite from 7.1.11 to 7.1.12 in /web (#17689) website: bump validator from 13.15.15 to 13.15.20 in /website (#17741) web: bump eslint-plugin-react-hooks from 7.0.0 to 7.0.1 in /packages/eslint-config in the eslint group across 1 directory (#17714) web: bump validator from 13.15.15 to 13.15.20 in /packages/eslint-config (#17742) packages/django-postgres-cache: use upsert instead of select/update in a transaction (#17760) providers/radius: fix panic when no cert is configured (#17762) sources/oauth: Make PKCE verifier 128 characters (#17763) providers/proxy: fix missing JWT/claims header (#17759) providers/proxy: add gorm logging (#17758) web: bump the sentry group across 1 directory with 2 updates (#17743) root: Add Dockerfile label org.opencontainers.image.source (#17756) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details
The PKCE spec requires the code verifier to be 43-128 characters1.
The default
lengthargument togenerate_idis 40 characters, which meant the verifier is always shorter than required by the spec. This could cause issues integrating authentik with PKCE-compliant OIDC providers.For transparency, I work on GOV.UK One Login (an OIDC OP) and am looking at @brendanarnold's integration with us which is also being discussed in issue #17491.
I would like to add a test to this PR that the generated verifier is of the correct length, but it wasn't clear to be where that should go. If you can point me to the right place I'll add it.
Checklist
ak test authentik/)make lint-fix)Footnotes
https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 ↩