Skip to content

Fix: don't send code_challenge in PAR flow when disablePkce is true#2209

Merged
damienbod merged 4 commits into
mainfrom
fix/disable-pkce-par-flow
May 28, 2026
Merged

Fix: don't send code_challenge in PAR flow when disablePkce is true#2209
damienbod merged 4 commits into
mainfrom
fix/disable-pkce-par-flow

Conversation

@FabianGosebrink

Copy link
Copy Markdown
Collaborator

Summary

Background

Issue #2077 reported that strict authorization servers reject code_challenge= (empty) when disablePkce: true. PR #2159 fixed this for the standard authorize URL by adding a !configuration.disablePkce guard in createAuthorizeUrl. The PAR flow constructs its request body in a separate method (createBodyForParCodeFlowRequest) that was missed — it unconditionally generated a code verifier and appended a populated code_challenge, defeating the purpose of disablePkce for PAR consumers.

Changes

  • url.service.ts: createBodyForParCodeFlowRequest now calls the existing getCodeChallenge(configuration) helper instead of inlining the verifier+challenge generation, and guards the two params.append('code_challenge'...) / params.append('code_challenge_method'...) calls behind !configuration.disablePkce.
  • url.service.spec.ts: new test omits code_challenge and code_challenge_method when disablePkce is true asserting the output URL is clean and that createCodeVerifier / generateCodeChallenge are not called.

Test plan

  • New unit test fails before the fix, passes after (verified locally — TDD)
  • Full library test suite: 984 / 984 SUCCESS
  • `npm run lint-lib` clean
  • Manually verify against a real PAR-enabled IdP with `disablePkce: true` (recommend a reviewer with a PAR setup confirms)

Refs #2077
Related: #2159

🤖 Generated with Claude Code

createBodyForParCodeFlowRequest was unconditionally appending
code_challenge and code_challenge_method to the PAR request body,
even when disablePkce: true. Strict authorization servers reject
the request because code_challenge is invalid (or, after #2159,
empty in the standard authorize URL but populated here).

Mirror the pattern used in createAuthorizeUrl: route challenge
generation through the existing getCodeChallenge helper (which
short-circuits when PKCE is disabled) and guard the param append.

Adds a unit test asserting that code_challenge,
code_challenge_method, the code verifier creation, and the
challenge generation are all skipped when disablePkce is true.

Refs #2077
CI's `npm ci` was failing with "Missing from lock file" for
@emnapi/core@1.10.0, @emnapi/runtime@1.10.0, @types/node@25.9.1,
and chokidar@4.0.3. Regenerated the lockfile under Node 20
(matching CI's setup-node@v5 with node-version: 20) so the
required transitive entries are present.

Verified locally with `npm ci --dry-run` under Node 20.
@FabianGosebrink

Copy link
Copy Markdown
Collaborator Author

@damienbod Please Review.

@damienbod damienbod merged commit c4908a2 into main May 28, 2026
5 checks passed
@damienbod damienbod deleted the fix/disable-pkce-par-flow branch May 28, 2026 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants