authentik is an open-source identity provider. When initialising a oauth2 flow with a code_challenge
and code_method
(thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing code_verifier
during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of code_verifier
is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a code_challenge
. authentik 2023.8.5 and 2023.10.4 fix this issue.