-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permit response_type be "code id_token" #328
Conversation
Is PKCE defined for hybrid flows? |
Sorry for response so late.
When callback url was hijacked, PKCE can prevent from obtaining access token. The same thing can happen in hybrid flow and nothing else can prevent it.
I will push it soon. Thanks. |
Signed-off-by: Adam Shannon <[email protected]> Signed-off-by: Wenhao Ni <[email protected]>
Signed-off-by: Adam Shannon <[email protected]> Signed-off-by: Wenhao Ni <[email protected]>
Users of this library can easily create the following: hasher := fosite.BCrypt{} hasher.Hash(..) This is a problem because WorkFactor will default to 0 and x/crypto/bcrypt will default that to 4 (See https://godoc.org/golang.org/x/crypto/bcrypt). Instead this should be some higher cost factor. Callers who need a lower WorkFactor can still lower the cost, if needed. Signed-off-by: Adam Shannon <[email protected]> Signed-off-by: Wenhao Ni <[email protected]>
Signed-off-by: Wenhao Ni <[email protected]>
Signed-off-by: Wenhao Ni <[email protected]>
Signed-off-by: Wenhao Ni <[email protected]>
Signed-off-by: Wenhao Ni <[email protected]>
Signed-off-by: Wenhao Ni <[email protected]>
Signed-off-by: Wenhao Ni <[email protected]>
Thank you! |
Signed-off-by: Adam Shannon <[email protected]> Signed-off-by: Wenhao Ni <[email protected]>
Related issue
None
Proposed changes
When hybrid flow with response_type=id_token code, we must permit code and others.
For that, I change the check method from Exact to Has.
Checklist
vulnerability, I confirm that I got green light (please contact [email protected]) from the maintainers to push the changes.
by signing my commit(s). You can amend your signature to the most recent commit by using
git commit --amend -s
. If youamend the commit, you might need to force push using
git push --force HEAD:<branch>
. Please be very careful when usingforce push.
Further comments
None.