Skip to content

Commit

Permalink
security: fix CVE-2024-23647
Browse files Browse the repository at this point in the history 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
  • Loading branch information
@BeryJu
BeryJu committed Jan 29, 2024
1 parent dca8c83 commit 38e04ae
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion authentik/providers/oauth2/views/token.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ def __post_init_code(self, raw_code: str, request: HttpRequest):
if self.authorization_code.code_challenge:
# Authorization code had PKCE but we didn't get one
if not self.code_verifier:
raise TokenError("invalid_request")
raise TokenError("invalid_grant")

Check warning on line 235 in authentik/providers/oauth2/views/token.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/oauth2/views/token.py#L235 

Added line #L235 was not covered by tests
if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
new_code_challenge = (
urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
Expand All @@ -245,6 +245,10 @@ def __post_init_code(self, raw_code: str, request: HttpRequest):
if new_code_challenge != self.authorization_code.code_challenge:
LOGGER.warning("Code challenge not matching")
raise TokenError("invalid_grant")
# Token request had a code_verifier but code did not have a code challenge
# Prevent downgrade
if not self.authorization_code.code_challenge and self.code_verifier:
raise TokenError("invalid_grant")

Check warning on line 251 in authentik/providers/oauth2/views/token.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/oauth2/views/token.py#L251 

Added line #L251 was not covered by tests

def __post_init_refresh(self, raw_token: str, request: HttpRequest):
if not raw_token:
Expand Down

0 comments on commit 38e04ae

Please # to comment.