From 6426e597a3813aed641984cece81800109d25ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Kooman?= Date: Tue, 24 Jan 2017 11:36:34 +0100 Subject: [PATCH] Fix PKCE code verifier encoding to match specification The current implementation of PKCE does not follow the specification correctly regarding the encoding of the code verifier. This patch correctly encodes the hash of the code verifier according to Appenix A of RFC 7636. --- src/Grant/AuthCodeGrant.php | 2 +- tests/Grant/AuthCodeGrantTest.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index df89400e..0d05e7c8 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -144,7 +144,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant case 'S256': if ( hash_equals( - urlencode(base64_encode(hash('sha256', $codeVerifier))), + strtr(rtrim(base64_encode(hash('sha256', $codeVerifier)), '='), '+/', '-_'), $authCodePayload->code_challenge ) === false ) { diff --git a/tests/Grant/AuthCodeGrantTest.php b/tests/Grant/AuthCodeGrantTest.php index 498fdb4e..d9f366e6 100644 --- a/tests/Grant/AuthCodeGrantTest.php +++ b/tests/Grant/AuthCodeGrantTest.php @@ -630,7 +630,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase 'user_id' => 123, 'scopes' => ['foo'], 'redirect_uri' => 'http://foo/bar', - 'code_challenge' => urlencode(base64_encode(hash('sha256', 'foobar'))), + 'code_challenge' => strtr(rtrim(base64_encode(hash('sha256', 'foobar')), '='), '+/', '-_'), 'code_challenge_method' => 'S256', ] )