simplesamlphp
diff --git a/‎lib/Entity/UserEntity.php‎
Lines changed: 2 additions & 2 deletions b/‎lib/Entity/UserEntity.php‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/Server/Grants/AuthCodeGrant.php‎
Lines changed: 10 additions & 2 deletions b/‎lib/Server/Grants/AuthCodeGrant.php‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎templates/oidc_base.twig‎
Lines changed: 1 addition & 1 deletion b/‎templates/oidc_base.twig‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎www/assets/jquery/jquery-3.3.1.min.js‎
Lines changed: 0 additions & 2 deletions b/‎www/assets/jquery/jquery-3.3.1.min.js‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎www/assets/jquery/jquery-3.6.4.min.js‎
Lines changed: 2 additions & 0 deletions b/‎www/assets/jquery/jquery-3.6.4.min.js‎
Lines changed: 2 additions & 0 deletions
@@ -68,7 +68,7 @@ public static function fromState(array $state): self
         $user = new self();
 
         $user->identifier = $state['id'];
-        $user->claims = json_decode($state['claims'], true);
+        $user->claims = json_decode($state['claims'], true, 512, JSON_INVALID_UTF8_SUBSTITUTE);
         $user->updatedAt = TimestampGenerator::utc($state['updated_at']);
         $user->createdAt = TimestampGenerator::utc($state['created_at']);
 
@@ -82,7 +82,7 @@ public function getState(): array
     {
         return [
             'id' => $this->getIdentifier(),
-            'claims' => json_encode($this->getClaims()),
+            'claims' => json_encode($this->getClaims(), JSON_INVALID_UTF8_SUBSTITUTE),
             'updated_at' => $this->getUpdatedAt()->format('Y-m-d H:i:s'),
             'created_at' => $this->getCreatedAt()->format('Y-m-d H:i:s'),
         ];
 
@@ -352,10 +352,18 @@ public function respondToAccessTokenRequest(
             throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code', $e);
         }
 
+        $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
+
+        // If a code challenge isn't present but a code verifier is, reject the request to block PKCE downgrade attack
+        if ($this->shouldCheckPkce($client) && empty($authCodePayload->code_challenge) && $codeVerifier !== null) {
+            throw OAuthServerException::invalidRequest(
+                'code_challenge',
+                'code_verifier received when no code_challenge is present'
+            );
+        }
+
         // Validate code challenge
         if (!empty($authCodePayload->code_challenge)) {
-            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
-
             if ($codeVerifier === null) {
                 throw OAuthServerException::invalidRequest('code_verifier');
             }
 
@@ -101,7 +101,7 @@
     </div>
 </body>
 {% block postload %}
-    <script type="text/javascript" src="{{ asset('jquery/jquery-3.3.1.min.js', 'oidc') }}"></script>
+    <script type="text/javascript" src="{{ asset('jquery/jquery-3.6.4.min.js', 'oidc') }}"></script>
     <script type="text/javascript" src="{{ asset('fomantic/semantic.min.js', 'oidc') }}"></script>
     <script>
         $(document).ready(function () {