member/member-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(oidc): add PKCE support for keycloak login flow

Browse Source
This commit is contained in:
Chris
2026-04-01 01:43:53 +08:00
parent 94ae0e5a7a
commit d16722ebf8
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/api/auth.py
View File

@@ -117,6 +117,8 @@ def get_oidc_authorize_url(
login_hint: str | None = None, login_hint: str | None = None,
prompt: str = "login", prompt: str = "login",
idp_hint: str | None = None, idp_hint: str | None = None,
code_challenge: str | None = None,
code_challenge_method: str | None = None,
) -> OIDCAuthUrlResponse: ) -> OIDCAuthUrlResponse:
settings = get_settings() settings = get_settings()
client_id = settings.idp_client_id or settings.idp_audience client_id = settings.idp_client_id or settings.idp_audience
@@ -137,6 +139,9 @@ def get_oidc_authorize_url(
query["login_hint"] = login_hint query["login_hint"] = login_hint
if idp_hint and settings.use_keycloak: if idp_hint and settings.use_keycloak:
query["kc_idp_hint"] = idp_hint query["kc_idp_hint"] = idp_hint
if code_challenge:
query["code_challenge"] = code_challenge
query["code_challenge_method"] = code_challenge_method or "S256"
params = httpx.QueryParams(query) params = httpx.QueryParams(query)
return OIDCAuthUrlResponse(authorize_url=f"{authorize_endpoint}?{params}") return OIDCAuthUrlResponse(authorize_url=f"{authorize_endpoint}?{params}")
@@ -157,6 +162,8 @@ def exchange_oidc_code(payload: OIDCCodeExchangeRequest) -> LoginResponse:
"code": payload.code, "code": payload.code,
"redirect_uri": payload.redirect_uri, "redirect_uri": payload.redirect_uri,
} }
if payload.code_verifier:
form["code_verifier"] = payload.code_verifier
try: try:
resp = httpx.post( resp = httpx.post(

1
app/schemas/login.py
View File

@@ -20,3 +20,4 @@ class OIDCAuthUrlResponse(BaseModel):
class OIDCCodeExchangeRequest(BaseModel): class OIDCCodeExchangeRequest(BaseModel):
code: str code: str
redirect_uri: str redirect_uri: str
code_verifier: str | None = None