'Ory Hydra - In PKCE flow where is code_verifier stored and checked?
I am using Ory Hydra to complete an OAuth2 authorization_code flow with PKCE. Something is wrong with my setup. The code verifier is not actually validated. I am able to exchange the authz code for a token whether I provide the right verifier, an invalid one or even not provide one at all.
I am looking through the Hydra source code but having a hard time finding:
- Where is the code that adds the session to the PKCE table? This is probably called by the
oauth2/authendpoint. - Where is the code that validates the code_verifier? I assume it's called by the
oauth2/tokenendpoint
PS: These lines look like what would be called when saving and retrieving the PKCE session. However I don't see them executed anywhere in the package so I don't know how/where the PKCE inputs get validated
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|