I am using Ory Hydra to complete an OAuth2 authorization_code
flow with PKCE. Something is wrong with my setup. The code verifier is not actually validated. I am able to exchange the authz code for a token whether I provide the right verifier, an invalid one or even not provide one at all.
I am looking through the Hydra source code but having a hard time finding:
oauth2/auth
endpoint.oauth2/token
endpointPS: These lines look like what would be called when saving and retrieving the PKCE session. However I don't see them executed anywhere in the package so I don't know how/where the PKCE inputs get validated
This line creates the PKCE session (adds entry to the table): https://github.com/ory/fosite/blob/master/handler/pkce/handler.go#L129
Turns out my code was not calling it because PKCE was not listed amongst the AuthorizeEndpointHandlers
for the Registry.OAuthProvider()
settings