Move pkce check so it happens prior to validation of code challenge

thephpleague · Feb 15, 2023 · 0d523dd · 0d523dd
1 parent 1480564
commit 0d523dd
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
@@ -129,10 +129,6 @@ public function respondToAccessTokenRequest(
 
         $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
 
-        if (!empty($authCodePayload->code_challenge)) {
-            $this->validateCodeChallenge($authCodePayload, $codeVerifier);
-        }
-
         // If a code challenge isn't present but a code verifier is, reject the request to block PKCE downgrade attack
         if (empty($authCodePayload->code_challenge) && $codeVerifier !== null) {
             throw OAuthServerException::invalidRequest(
@@ -141,6 +137,10 @@ public function respondToAccessTokenRequest(
             );
         }
 
+        if (!empty($authCodePayload->code_challenge)) {
+            $this->validateCodeChallenge($authCodePayload, $codeVerifier);
+        }
+
         // Issue and persist new access token
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));