LittleSheep 74a9ca98ad ♻️ Refactor OpenID: Phase 2: Security Hardening - PKCE Implementation ...

- Added GenerateCodeVerifier() and GenerateCodeChallenge() methods to base OidcService
- Implemented PKCE (Proof Key for Code Exchange) for Google OAuth flow:
  * Generate cryptographically secure code verifier (256-bit random)
  * Create SHA-256 code challenge for authorization request
  * Cache code verifier with 15-minute expiration for token exchange
  * Validate and remove code verifier during callback to prevent replay attacks
- Enhances security by protecting against authorization code interception attacks
- Uses S256 (SHA-256) code challenge method as per RFC 7636

2025-11-02 15:05:19 +08:00

12 KiB

Raw Blame History

View Raw