fix(auth): make PKCE optional per ADR-003

PKCE was incorrectly required in the /authorize endpoint, contradicting ADR-003 which defers PKCE to v1.1.0. Changes: - PKCE parameters are now optional in /authorize - If code_challenge provided, validates method is S256 - Defaults to S256 if method not specified - Logs when clients don't use PKCE for monitoring - Updated tests for optional PKCE behavior This fixes authentication for clients that don't implement PKCE. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-17 15:23:44 -07:00
parent 1ea2afcaa4
commit 404d723ef8
6 changed files with 895 additions and 34 deletions
--- a/src/gondulf/routers/authorization.py
+++ b/src/gondulf/routers/authorization.py
@@ -322,25 +322,23 @@ async def authorize_get(
        redirect_url = f"{redirect_uri}?{urlencode(error_params)}"
        return RedirectResponse(url=redirect_url, status_code=302)

-    # Validate code_challenge (PKCE required)
-    if not code_challenge:
-        error_params = {
-            "error": "invalid_request",
-            "error_description": "code_challenge is required (PKCE)",
-            "state": state or ""
-        }
-        redirect_url = f"{redirect_uri}?{urlencode(error_params)}"
-        return RedirectResponse(url=redirect_url, status_code=302)
-
-    # Validate code_challenge_method
-    if code_challenge_method != "S256":
-        error_params = {
-            "error": "invalid_request",
-            "error_description": "code_challenge_method must be S256",
-            "state": state or ""
-        }
-        redirect_url = f"{redirect_uri}?{urlencode(error_params)}"
-        return RedirectResponse(url=redirect_url, status_code=302)
+    # PKCE validation (optional in v1.0.0, per ADR-003)
+    # If code_challenge is provided, validate method is S256
+    # If not provided, proceed without PKCE
+    if code_challenge:
+        if code_challenge_method and code_challenge_method != "S256":
+            error_params = {
+                "error": "invalid_request",
+                "error_description": "code_challenge_method must be S256",
+                "state": state or ""
+            }
+            redirect_url = f"{redirect_uri}?{urlencode(error_params)}"
+            return RedirectResponse(url=redirect_url, status_code=302)
+        # Default to S256 if not specified but challenge provided
+        if not code_challenge_method:
+            code_challenge_method = "S256"
+    else:
+        logger.info(f"Client {client_id} not using PKCE (optional in v1.0.0)")

    # Validate me parameter
    if not me: