From 0d523ddedd4d519a954610ac10cbbdbd64b983ba Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Wed, 15 Feb 2023 15:59:31 +0000 Subject: [PATCH] Move pkce check so it happens prior to validation of code challenge --- src/Grant/AuthCodeGrant.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 1bde2044e..8336cf649 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -129,10 +129,6 @@ public function respondToAccessTokenRequest( $codeVerifier = $this->getRequestParameter('code_verifier', $request, null); - if (!empty($authCodePayload->code_challenge)) { - $this->validateCodeChallenge($authCodePayload, $codeVerifier); - } - // If a code challenge isn't present but a code verifier is, reject the request to block PKCE downgrade attack if (empty($authCodePayload->code_challenge) && $codeVerifier !== null) { throw OAuthServerException::invalidRequest( @@ -141,6 +137,10 @@ public function respondToAccessTokenRequest( ); } + if (!empty($authCodePayload->code_challenge)) { + $this->validateCodeChallenge($authCodePayload, $codeVerifier); + } + // Issue and persist new access token $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes); $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));