Ignore PKCE params for non-PKCE grants
Summary
Getting a 401 response from the token endpoint (oauth/token). The below posted code has worked in the past. Seems to have broken sometime after January.
Proposal
This has been fixed in the Doorkeeper gem and should be released in version 5.5: https://github.com/doorkeeper-gem/doorkeeper/pull/1415
Example Project
This is the crucial part of the Node.js project:
const express = require('express');
const app = express();
const session = require('express-session');
// cookieSession config
app.use(session({
secret: 'keyboard cat',
resave: false,
saveUninitialized: true,
cookie: { secure: false, sameSite: "lax" }
}));
const { generators } = require('openid-client');
const { Issuer } = require('openid-client');
Issuer.discover('https://gitlab.com').then(function(gitlabIssuer) {
// console.log('Discovered issuer %s %O', gitlabIssuer.issuer, gitlabIssuer.metadata);
const client = new gitlabIssuer.Client({
client_id: "someid",
client_secret: "somesecret",
redirect_uris: ["http://localhost:3000/auth/gitlab/callback"],
response_types: ['code'],
});
/* Auth middleware */
app.use(function(req, res, next) {
/* Do not intercept auth urls */
if (req._parsedOriginalUrl != null && req._parsedOriginalUrl.pathname == '/auth/gitlab/callback') {
console.log("Got oAuth callback")
next()
return
}
/* Check if the user is logged in */
if (req.session.tokenSet) {
console.log("Has token set")
} else {
console.log('User not logged in')
const code_verifier = generators.codeVerifier()
const code_challenge = generators.codeChallenge(code_verifier);
req.session.authRequest = {
code_verifier,
code_challenge
};
const authUrl = client.authorizationUrl({
scope: 'openid api',
code_challenge,
code_challenge_method: 'S256'
});
// Store in session
req.session.save()
res.redirect(authUrl)
}
})
app.get('/auth/gitlab/callback', (req, res) => {
console.log("Authenticate user")
const params = client.callbackParams(req);
console.log("Params:", params)
const code_verifier = req.session.authRequest.code_verifier;
console.log("code_verifier", code_verifier)
client.oauthCallback("http://localhost:3000/auth/gitlab/callback", params, { code_verifier })
.then(tokenSet => {
req.session.authRequest = null
console.log('received and validated tokens %j', tokenSet);
req.session.tokenSet = tokenSet
res.redirect("/")
})
.catch(error => {
console.log("Error", error)
});
})
});
module.exports = app;What is the current bug behavior?
I get correctly redirected to Gitlab.com where I have to authorize the client to use my account. Upon authorizing my app receives a 401 response from the token endpoint.
What is the expected correct behavior?
Receiving a valid token.
Relevant logs and/or screenshots
| Client setup |
|---|
 |
The console log outputs of the app (don't get confused by the error log, that one is thrown if the response status is 401):
User not logged in
Got oAuth callback
Authenticate user
Params: {
code: 'd70ebcab2937d0876a302bc23a2e87d4be12d865e907da1d631d603fac3a233d'
}
code_verifier bFWBhrWz3LXlU0z1NvGbvhKoF3Q8s4JnAc9IumukKl8
Error OPError: invalid_request (The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.)
at processResponse (/Users/foo/node_modules/openid-client/lib/helpers/process_response.js:45:13)
at Client.grant (/Users/foo/node_modules/openid-client/lib/client.js:1235:26)
at processTicksAndRejections (internal/process/task_queues.js:97:5) {
error: 'invalid_request',
error_description: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
}Output of checks
This bug happens on GitLab.com
Edited by Markus Koller