-
-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug for server side to generate verifier and challenge pairs #505
Comments
I'm not understanding your explanation above. Can you use example along with step by step instructions of the issue please? |
let me try to explain again before deploying a demo :) in "pkce" mode, step1, a google login link is generated and not clicked. if you dive deep into the related code, a |
You've just described how |
it's ok for frontend lib, because browser remembers which verifier key is used, but for backend, it generate verifier key in one request, and verify it in another, in which scene backend can't remember which verifier key for which challenge. |
I'm looking into this to see what's the best way to handle it with current setup. Ideally we need to get the |
So I have a solution for this which would mean saving the sessions as cookies and then retrieving them on a per request basis. In my current setup I'm using cookies and redis, the cookie stores the |
it should work. for now is there any method to pass cookies to verify code_challenge? |
https://github.com/supabase-community/auth-py/blob/16e571fc19168314d82074523de6f246bdd74960/supabase_auth/_sync/gotrue_client.py#L943C9-L952C1
for example:
user A generates a url, with verifier A, user A doesn't verify immediately
then, user A generate another url, for now, previous url won't be verified by the new code_verifier
The text was updated successfully, but these errors were encountered: