[PKCE] code_challenge and code_challenge_method are missed in AuthorizationView form

[sayfullin]

Describe the bug

code_challenge and code_challenge_method do not have values in AuthorizationView form. Parameters are given as GET parameters
/oauth/authorize/?client_id=xxx&response_type=code&code_challenge=xxx&code_challenge_method=S256&scope=xxx&redirect_uri=xxx

<form id="authorizationForm" method="post">
    <h3 class="block-center-heading">Authorize PKCE?</h3>
    <input type="hidden" name="csrfmiddlewaretoken" value="xxx">
    <input type="hidden" name="redirect_uri" value="http://127.0.0.1:8000/success/" id="id_redirect_uri">
    ...
    <input type="hidden" name="code_challenge" id="id_code_challenge">
    <input type="hidden" name="code_challenge_method" id="id_code_challenge_method">
</form>

Expected behavior

<form id="authorizationForm" method="post">
    <h3 class="block-center-heading">Authorize PKCE?</h3>
    <input type="hidden" name="csrfmiddlewaretoken" value="xxx">
    <input type="hidden" name="redirect_uri" value="http://127.0.0.1:8000/success/" id="id_redirect_uri">
    ...
    <input type="hidden" name="code_challenge" value="xxxxx" id="id_code_challenge">
    <input type="hidden" name="code_challenge_method" value="S256" id="id_code_challenge_method">
</form>

Version
django-oauth-toolkit 1.3.3

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context

I fixed for my local project by 'returning' old code from 1.3.2

class CustomAuthorizationView(AuthorizationView):
    def get(self, request, *args, **kwargs):
        try:
            scopes, credentials = self.validate_authorization_request(request)
            credentials["code_challenge"] = credentials.get(
                "code_challenge",
                request.GET.get("code_challenge", None)
            )
            credentials["code_challenge_method"] = credentials.get(
                "code_challenge_method",
                request.GET.get("code_challenge_method", None)
            )
        except OAuthToolkitError as error:
            # Application is not available at this time.
            return self.error_response(error, application=None)
        kwargs["code_challenge"] = credentials["code_challenge"]
        kwargs["code_challenge_method"] = credentials["code_challenge_method"]

        return super(CustomAuthorizationView, self).get(request, *args, **kwargs)

[brianhelba]

@MattBlack85 @auvipy This issue is fixed by #896. It can probably be closed.

Without #896, this bug causes PKCE to be broken in the latest release. Is it possible to get a new patch release soon, to allow downstreams to benefit from this fix?

[MattBlack85]

@brianhelba thanks for letting us know, we may do a release before xmas if @n2ygk is around and agrees

[MattBlack85]

close #900 via #896

[MattBlack85]

@brianhelba I'd like to include #903 and #906 in the next release as well, just asking for a bit more time in case :)

[brianhelba]

Hey again @MattBlack85 @n2ygk , would you be open to a release soon? I have several downstream projects using PKCE, and I'd hope to not be stuck on the old version.

[n2ygk]

Yes, we should do a minor release for that and then follow with a major release with the OIDC PR. Meanwhile, you can of course use the git ref in your requirements.txt to use the new code in your project.

…

On Fri, Feb 5, 2021 at 11:31 AM Brian Helba ***@***.***> wrote: Hey again @MattBlack85 <https://github.com/MattBlack85> @n2ygk <https://github.com/n2ygk> , would you be open to a release soon? I have several downstream projects using PKCE, and I'd hope to not be stuck on the old version. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#900 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABBHS55LOZKSFPBB5C2RZCDS5QMM7ANCNFSM4UJCPYSQ> .