diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
index 4acb005..3c703c9 100644
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@@ -9,6 +9,7 @@ except ImportError:
from Crypto.Cipher import AES
from django.http import JsonResponse
+from django.conf import settings as django_settings
from oidc_provider.lib.errors import *
from oidc_provider.lib.utils.params import *
@@ -96,7 +97,7 @@ class TokenEndpoint(object):
# Validate PKCE parameters.
if self.params.code_verifier:
- obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+ obj = AES.new(hashlib.md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
if code_challenge_method == 'S256':
diff --git a/oidc_provider/lib/utils/token.py b/oidc_provider/lib/utils/token.py
index 308364f..b7260a3 100644
--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@@ -4,6 +4,7 @@ import uuid
from Crypto.Cipher import AES
from Crypto.PublicKey.RSA import importKey
+from django.conf import settings as django_settings
from django.utils import timezone
from hashlib import md5
from jwkest.jwk import RSAKey as jwk_RSAKey
@@ -110,7 +111,7 @@ def create_code(user, client, scope, nonce, is_authentication,
if not code_challenge:
code.code = uuid.uuid4().hex
else:
- obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+ obj = AES.new(md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
# Default is 'plain' method.
code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method
diff --git a/oidc_provider/templates/oidc_provider/hidden_inputs.html b/oidc_provider/templates/oidc_provider/hidden_inputs.html
index 59c7035..2bff39d 100644
--- a/oidc_provider/templates/oidc_provider/hidden_inputs.html
+++ b/oidc_provider/templates/oidc_provider/hidden_inputs.html
@@ -3,4 +3,6 @@
-
\ No newline at end of file
+
+
+
diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py
index bd3989d..5164f4f 100644
--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@@ -13,6 +13,7 @@ from oidc_provider.models import *
FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
+FAKE_CODE_CHALLENGE = 'pG6flQqJa7INfIKb5cZVAXhTqvTKehIck6aQhdUuyWc'
def create_fake_user():
diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py
index fc92fcc..5a3eaa2 100644
--- a/oidc_provider/tests/test_authorize_endpoint.py
+++ b/oidc_provider/tests/test_authorize_endpoint.py
@@ -122,6 +122,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
'redirect_uri': self.client.default_redirect_uri,
'scope': 'openid email',
'state': self.state,
+ # PKCE parameters.
+ 'code_challenge': FAKE_CODE_CHALLENGE,
+ 'code_challenge_method': 'S256',
}).replace('+', '%20')
url = reverse('oidc_provider:authorize') + '?' + query_str
@@ -140,6 +143,8 @@ class AuthorizationCodeFlowTestCase(TestCase):
'client_id': self.client.client_id,
'redirect_uri': self.client.default_redirect_uri,
'response_type': 'code',
+ 'code_challenge': FAKE_CODE_CHALLENGE,
+ 'code_challenge_method': 'S256',
}
for key, value in iter(to_check.items()):
@@ -169,6 +174,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
'response_type': response_type,
'scope': 'openid email',
'state': self.state,
+ # PKCE parameters.
+ 'code_challenge': FAKE_CODE_CHALLENGE,
+ 'code_challenge_method': 'S256',
}
request = self.factory.post(url, data=post_data)
diff --git a/oidc_provider/views.py b/oidc_provider/views.py
index 01f5d1b..c7010bb 100644
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@@ -87,7 +87,6 @@ class AuthorizeView(View):
return redirect(uri)
def post(self, request, *args, **kwargs):
-
authorize = AuthorizeEndpoint(request)
allow = True if request.POST.get('allow') else False