coop/rose-ash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

identity: PKCE S256 (RFC 7636 §4.2) — now the erlang binary substrate is fixed

Browse Source 
oauth.sx routes the PKCE check through pkce_ok: an S256 challenge carried as
{s256, Hash} compares crypto:hash(sha256, Verifier) =:= Hash; a bare
challenge stays plain (§4.1), so both methods coexist with no change to
existing flows (the bare path is the old =:= behaviour). Raw sha256 digests
are compared (base64url is wire encoding, omitted). New tests/pkce.sx (6,
incl. S256 through PAR). Verified pkce 6/6; substrate fix is in the
preceding commit. 239 total.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
giles
2026-06-07 14:12:10 +00:00
parent 92f60d4b8d
commit 37b7d1635c
4 changed files with 120 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/identity/conformance.sh
View File

@@ -50,6 +50,7 @@ SUITES=(
"par|id-par-test-pass|id-par-test-count"
"dynreg|id-dyn-test-pass|id-dyn-test-count"
"account|id-acct-test-pass|id-acct-test-count"
"pkce|id-pkce-test-pass|id-pkce-test-count"
)
cat > "$TMPFILE" << 'EPOCHS'
@@ -95,6 +96,7 @@ cat > "$TMPFILE" << 'EPOCHS'
(load "lib/identity/tests/par.sx")
(load "lib/identity/tests/dynreg.sx")
(load "lib/identity/tests/account.sx")
(load "lib/identity/tests/pkce.sx")
(epoch 100)
(eval "(list id-session-test-pass id-session-test-count)")
(epoch 101)
@@ -139,6 +141,8 @@ cat > "$TMPFILE" << 'EPOCHS'
(eval "(list id-dyn-test-pass id-dyn-test-count)")
(epoch 121)
(eval "(list id-acct-test-pass id-acct-test-count)")
(epoch 122)
(eval "(list id-pkce-test-pass id-pkce-test-count)")
EPOCHS
timeout 1200 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1