sharang/certifai
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

[medium] oauth-patterns: OAuth flow without PKCE #38

New Issue
Open
opened 2026-03-11 15:52:43 +00:00 by sharang · 0 comments
sharang commented 2026-03-11 15:52:43 +00:00
Owner
Copy Link

medium Finding

Scanner: oauth-patterns
Severity: medium
Rule: oauth-missing-pkce

Description

Authorization code flow should use PKCE (code_challenge/code_verifier) for public clients.

Location

File: librechat/openidStrategy.js (line 685)

Code

      clientMetadata.grant_types = ['authorization_code'];

Remediation

Add PKCE support by implementing code_challenge and code_verifier parameters in the OAuth flow. Modify the clientMetadata to include PKCE requirements and ensure the authorization code exchange includes proper challenge validation.

Fingerprint: 7301979b0eeb613943678c3b0dddccdc50c10e7bf454740617b2685ae3e95091
Generated by compliance-scanner

Labels: severity:medium, scanner:oauth-patterns, compliance-scanner

## medium Finding **Scanner:** oauth-patterns **Severity:** medium **Rule:** oauth-missing-pkce ### Description Authorization code flow should use PKCE (code_challenge/code_verifier) for public clients. ### Location **File:** `librechat/openidStrategy.js` (line 685) ### Code ``` clientMetadata.grant_types = ['authorization_code']; ``` ### Remediation Add PKCE support by implementing code_challenge and code_verifier parameters in the OAuth flow. Modify the clientMetadata to include PKCE requirements and ensure the authorization code exchange includes proper challenge validation. --- *Fingerprint:* `7301979b0eeb613943678c3b0dddccdc50c10e7bf454740617b2685ae3e95091` *Generated by compliance-scanner* **Labels:** severity:medium, scanner:oauth-patterns, compliance-scanner
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
sharang
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sharang/certifai#38
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?