Ory Hydra - In PKCE flow where is code_verifier stored and checked?

Question

I am using Ory Hydra to complete an OAuth2 authorization_code flow with PKCE. Something is wrong with my setup. The code verifier is not actually validated. I am able to exchange the authz code for a token whether I provide the right verifier, an invalid one or even not provide one at all.

I am looking through the Hydra source code but having a hard time finding:

Where is the code that adds the session to the PKCE table? This is probably called by the oauth2/auth endpoint.
Where is the code that validates the code_verifier? I assume it's called by the oauth2/token endpoint

PS: These lines look like what would be called when saving and retrieving the PKCE session. However I don't see them executed anywhere in the package so I don't know how/where the PKCE inputs get validated

score 0 · Accepted Answer · answered Feb 19 '22 at 01:25

This line creates the PKCE session (adds entry to the table): https://github.com/ory/fosite/blob/master/handler/pkce/handler.go#L129

Turns out my code was not calling it because PKCE was not listed amongst the AuthorizeEndpointHandlers for the Registry.OAuthProvider() settings

Ory Hydra - In PKCE flow where is code_verifier stored and checked?

1 Answers1