lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
porchlight/tests/test_oidc
History
Johan Lundberg 71a7c23bdd
fix(security): verify S256 PKCE when relying parties use it 
idpyoidc advertised PKCE support but did not actually verify the code
challenge at the token endpoint, so a sent code_challenge provided no
protection. Enable the PKCE add-on restricted to S256.

Configured as non-essential: relying parties that do not send a
code_challenge continue to work (no breaking change), but any RP that uses
PKCE must use S256, and the code_verifier is verified at token exchange.
Flip essential=True (or per-client pkce_essential) to require PKCE once all
clients have migrated.

Refs: porchlight-s48

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 11:00:30 +02:00
..
__init__.py chore: create package structure with src layout 2026-02-12 14:39:07 +01:00
test_app_integration.py feat: integrate idpyoidc server into app lifespan 2026-02-16 13:29:39 +01:00
test_authorization.py feat: add OIDC discovery, JWKS, and authorization endpoints 2026-02-16 13:33:40 +01:00
test_claims.py update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
test_consent_flow.py fix(security): reject consent scopes outside the original request 2026-06-04 10:26:55 +02:00
test_discovery.py feat: add OIDC discovery, JWKS, and authorization endpoints 2026-02-16 13:33:40 +01:00
test_e2e_flow.py fix(security): verify S256 PKCE when relying parties use it 2026-06-04 11:00:30 +02:00
test_login_oidc_redirect.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00
test_provider.py fix: resolve all ruff lint errors and type checker warnings 2026-03-31 15:48:46 +02:00
test_token.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00
test_userinfo.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00