[medium] oauth-patterns: OAuth flow without PKCE #39

New Issue

sharang · 2026-03-11T15:52:43Z

sharang commented

2026-03-11 15:52:43 +00:00

medium Finding

Scanner: oauth-patterns
Severity: medium
Rule: oauth-missing-pkce

Description

Authorization code flow should use PKCE (code_challenge/code_verifier) for public clients.

Location

File: src/infrastructure/auth.rs (line 207)

Code

            ("grant_type", "authorization_code"),

Remediation

Add PKCE support by generating a code_verifier, creating a code_challenge from it, and including both in the authorization request. The code_verifier should be stored securely and used when exchanging the authorization code for an access token.

Fingerprint: 29d02c2b928ed957c10752516acb9af3056476965583abcd4ab0f5427b1a8416
Generated by compliance-scanner

Labels: severity:medium, scanner:oauth-patterns, compliance-scanner

## medium Finding **Scanner:** oauth-patterns **Severity:** medium **Rule:** oauth-missing-pkce ### Description Authorization code flow should use PKCE (code_challenge/code_verifier) for public clients. ### Location **File:** `src/infrastructure/auth.rs` (line 207) ### Code ``` ("grant_type", "authorization_code"), ``` ### Remediation Add PKCE support by generating a code_verifier, creating a code_challenge from it, and including both in the authorization request. The code_verifier should be stored securely and used when exchanging the authorization code for an access token. --- *Fingerprint:* `29d02c2b928ed957c10752516acb9af3056476965583abcd4ab0f5427b1a8416` *Generated by compliance-scanner* **Labels:** severity:medium, scanner:oauth-patterns, compliance-scanner

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/certifai#39