Unbekannte Client ID: {client_id}
", status_code=400) + if not code_challenge: + return HTMLResponse("PKCE erforderlich (code_challenge fehlt).
", status_code=400) + code = secrets.token_urlsafe(32) _auth_codes[code] = { "client_id": client_id, @@ -171,19 +174,16 @@ async def oauth_token(request: Request): if code_data["client_id"] != client_id: return JSONResponse({"error": "invalid_grant", "error_description": "Client ID mismatch"}, status_code=400) - if code_data["code_challenge"]: - if not _verify_pkce(code_verifier, code_data["code_challenge"], code_data["code_challenge_method"]): - return JSONResponse({"error": "invalid_grant", "error_description": "PKCE verification failed"}, status_code=400) + # PKCE PFLICHT (kein Bypass mit leerem code_challenge) + if not code_data.get("code_challenge"): + return JSONResponse({"error": "invalid_grant", "error_description": "PKCE required"}, status_code=400) + if not _verify_pkce(code_verifier, code_data["code_challenge"], code_data["code_challenge_method"]): + return JSONResponse({"error": "invalid_grant", "error_description": "PKCE verification failed"}, status_code=400) - # Verify client_secret if provided, otherwise rely on PKCE alone - if client_secret: - user = _resolve_client(client_id, client_secret) - if not user: - return JSONResponse({"error": "invalid_client", "error_description": "Invalid client credentials"}, status_code=401) - else: - user = client_id - if user not in _load_tokens(): - return JSONResponse({"error": "invalid_client"}, status_code=401) + # client_secret PFLICHT (confidential client) -- schliesst den Auth-Bypass + user = _resolve_client(client_id, client_secret) + if not user: + return JSONResponse({"error": "invalid_client", "error_description": "Invalid client credentials"}, status_code=401) elif grant_type == "client_credentials": user = _resolve_client(client_id, client_secret)