Merge pull request #199 from harphield/fix-generate-pkce-code-verifier

Fix: generatePKCECodeVerifier length

Author: ADmad

src/OAuth2/AbstractProvider.php

@@ -27,6 +27,8 @@ abstract class AbstractProvider extends AbstractBaseProvider
 
     protected bool $pkce = false;
 
+    protected int $pkceCodeVerifierByteLength = 96;
+
     /**
      * @return string
      */
@@ -50,7 +52,7 @@ public function getAuthUrlParameters(): array
         $parameters['response_type'] = 'code';
 
         if ($this->pkce) {
-            $codeVerifier = $this->generatePKCECodeVerifier();
+            $codeVerifier = $this->generatePKCECodeVerifier($this->pkceCodeVerifierByteLength);
             $this->session->set('code_verifier', $codeVerifier);
 
             $parameters['code_challenge'] = $this->generatePKCECodeChallenge($codeVerifier);
@@ -60,13 +62,15 @@ public function getAuthUrlParameters(): array
         return $parameters;
     }
 
-    private function generatePKCECodeVerifier(int $length = 128)
+    private function generatePKCECodeVerifier(int $byteLength = 96): string
     {
-        if ($length < 43 || $length > 128) {
-            throw new \Exception("Length must be between 43 and 128");
+        if ($byteLength < 32 || $byteLength > 96) {
+            throw new \Exception(
+                "Final length must be between 43 and 128, so the number of random bytes must be between 32 and 96"
+            );
         }
 
-        $randomBytes = random_bytes($length);
+        $randomBytes = random_bytes($byteLength);
         return rtrim(strtr(base64_encode($randomBytes), '+/', '-_'), '=');
     }