starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-02-05 00:39:38 +03:00
Code Issues 61 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Public clients without PKCE do not work #382

New Issue
Closed
opened 2026-02-04 19:21:29 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-04 19:21:29 +03:00
Owner
Copy Link

Originally created by @elee1766 on GitHub (Jul 18, 2025).

Reproduction steps

try to use implicit auth flow with a public client with PKCE disabled.

Expected behavior

https://github.com/pocket-id/pocket-id/blob/main/backend/internal/service/oidc_service.go#L127-L130

	// If the client is not public, the code challenge must be provided
	if client.IsPublic && input.CodeChallenge == "" {
		return "", "", &common.OidcMissingCodeChallengeError{}
	}

the comment says "if the client is not public, the code challenge must be provided"

but this code is, "if the client is public, then the code challenge must be provided" (or really, if the client is public and the code challenge is not provided, error)

Actual Behavior

i get error "missing code challenge" if i try to use implicit auth with PCKE off.

Version and Environment

1.6.2, in docker

Log Output

Error #01: Missing code challenge
Originally created by @elee1766 on GitHub (Jul 18, 2025). ### Reproduction steps try to use implicit auth flow with a public client with PKCE disabled. ### Expected behavior https://github.com/pocket-id/pocket-id/blob/main/backend/internal/service/oidc_service.go#L127-L130 ``` // If the client is not public, the code challenge must be provided if client.IsPublic && input.CodeChallenge == "" { return "", "", &common.OidcMissingCodeChallengeError{} } ``` the comment says "if the client is not public, the code challenge must be provided" but this code is, "if the client is public, then the code challenge must be provided" (or really, if the client is public and the code challenge is not provided, error) ### Actual Behavior i get error "missing code challenge" if i try to use implicit auth with PCKE off. ### Version and Environment 1.6.2, in docker ### Log Output ``` Error #01: Missing code challenge ```
OVERLORD added the bug label 2026-02-04 19:21:29 +03:00
OVERLORD commented 2026-02-04 19:21:41 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub (Jul 18, 2025):

Yeah the comment is wrong in that case, thanks.
We don't support the implicit flow though and are not planning to support it in the future because the flow isn't recommended anymore.

@stonith404 commented on GitHub (Jul 18, 2025): Yeah the comment is wrong in that case, thanks. We don't support the implicit flow though and are not planning to support it in the future because the flow isn't [recommended anymore](https://oauth.net/2/grant-types/implicit/).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
bug
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#382
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?