[medium] oauth-patterns: OAuth flow without PKCE #40

New Issue

Open

opened 2026-03-18 16:01:25 +00:00 by sharang · 0 comments

sharang commented 2026-03-18 16:01:25 +00:00

Owner

Copy Link

medium Finding

Scanner: oauth-patterns
Severity: medium
Rule: oauth-missing-pkce

Description

Authorization code flow should use PKCE (code_challenge/code_verifier) for public clients.

Location

File: compliance-dashboard/src/infrastructure/auth.rs (line 151)

Code

            ("grant_type", "authorization_code"),

---

Fingerprint: 4b12b424f24d0dbcefb77999b6f10aa56c236b9265c99e77a8dc189a487ed5db
Generated by compliance-scanner

Labels: severity:medium, scanner:oauth-patterns, compliance-scanner

## medium Finding **Scanner:** oauth-patterns **Severity:** medium **Rule:** oauth-missing-pkce ### Description Authorization code flow should use PKCE (code_challenge/code_verifier) for public clients. ### Location **File:** `compliance-dashboard/src/infrastructure/auth.rs` (line 151) ### Code ``` ("grant_type", "authorization_code"), ``` --- *Fingerprint:* `4b12b424f24d0dbcefb77999b6f10aa56c236b9265c99e77a8dc189a487ed5db` *Generated by compliance-scanner* **Labels:** severity:medium, scanner:oauth-patterns, compliance-scanner

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/multiple-issues

feat/cve-alerts

feat/e2e-tests

feat/help-chat-widget

fix/cascade-delete-repo

feat/refine-llm-prompts

fix/gitea-pr-review-error-handling

test/dummy-bad-code

fix/remove-code-review-from-findings

feat/pentest-onboarding

v0.2.0

Labels

Clear labels

bug

critical

enhancement

high

infrastructure

performance

security

v0.3.0

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

sharang

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#40