refactor: remove PKCE from OIDC flow (confidential client)

Backend holds client_secret and does the token exchange server-side, making PKCE redundant. Removes code_verifier/code_challenge from all frontend auth paths and backend exchange method. Eliminates the source of "grant request is invalid" errors from verifier mismatches. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 10:22:13 +02:00
parent 03ff9a3813
commit d4b530ff8a
7 changed files with 23 additions and 66 deletions
--- a/ui/src/auth/OidcCallback.tsx
+++ b/ui/src/auth/OidcCallback.tsx
@@ -27,25 +27,15 @@ export function OidcCallback() {
      // consent_required — retry without prompt=none so user can grant scopes
      if (errorParam === 'consent_required' && !sessionStorage.getItem('oidc-consent-retry')) {
        sessionStorage.setItem('oidc-consent-retry', '1');
-        api.GET('/auth/oidc/config').then(async ({ data }) => {
+        api.GET('/auth/oidc/config').then(({ data }) => {
          if (data?.authorizationEndpoint && data?.clientId) {
            const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
-            const array = new Uint8Array(32);
-            crypto.getRandomValues(array);
-            const verifier = btoa(String.fromCharCode(...array))
-              .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-            sessionStorage.setItem('oidc-code-verifier', verifier);
-            const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier));
-            const challenge = btoa(String.fromCharCode(...new Uint8Array(digest)))
-              .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
            const scopes = ['openid', 'email', 'profile', ...(data.additionalScopes || [])];
            const p = new URLSearchParams({
              response_type: 'code',
              client_id: data.clientId,
              redirect_uri: redirectUri,
              scope: scopes.join(' '),
-              code_challenge: challenge,
-              code_challenge_method: 'S256',
            });
            if (data.resource) p.set('resource', data.resource);
            window.location.href = `${data.authorizationEndpoint}?${p}`;
@@ -71,9 +61,7 @@ export function OidcCallback() {
    }

    const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
-    const codeVerifier = sessionStorage.getItem('oidc-code-verifier') ?? undefined;
-    sessionStorage.removeItem('oidc-code-verifier');
-    loginWithOidcCode(code, redirectUri, codeVerifier);
+    loginWithOidcCode(code, redirectUri);
  }, [loginWithOidcCode]);

  if (isAuthenticated) return <Navigate to="/" replace />;