ValidatePKCECodeChallengeMethod validates PKCE code_challenge_method parameter. Per OAuth 2.1, only S256 is supported; plain is rejected for security reasons.
(method string)
| 236 | // ValidatePKCECodeChallengeMethod validates PKCE code_challenge_method parameter. |
| 237 | // Per OAuth 2.1, only S256 is supported; plain is rejected for security reasons. |
| 238 | func ValidatePKCECodeChallengeMethod(method string) error { |
| 239 | if method == "" { |
| 240 | return nil // Optional, defaults to S256 if code_challenge is provided |
| 241 | } |
| 242 | |
| 243 | m := OAuth2PKCECodeChallengeMethod(method) |
| 244 | |
| 245 | if m == OAuth2PKCECodeChallengeMethodPlain { |
| 246 | return xerrors.New("code_challenge_method 'plain' is not supported; use 'S256'") |
| 247 | } |
| 248 | |
| 249 | if m != OAuth2PKCECodeChallengeMethodS256 { |
| 250 | return xerrors.Errorf("unsupported code_challenge_method: %s", method) |
| 251 | } |
| 252 | |
| 253 | return nil |
| 254 | } |
| 255 | |
| 256 | // validateURIField validates a URI field |
| 257 | func validateURIField(uriStr, fieldName string) error { |