v0.1.7 — fix(oidc): reject 'plain' PKCE method and make PKCE mandatory (S256-only)
Release v0.1.7: OIDC PKCE hardening — S256-only enforcement
What changed
- PKCE is now mandatory — all authorization requests must include a
code_challenge - S256-only — the insecure
plainPKCE method is rejected;S256is the only supported method - Removed fallback behavior — token endpoint no longer defaults to
plainverification; codes issued without PKCE are rejected - 30 new test cases — comprehensive coverage of RFC 7636 and RFC 9700 compliance, including RFC test vectors
Why it matters
The plain PKCE method provides no real protection: an attacker who intercepts the authorization request URL can trivially extract the code verifier (it equals the code challenge). The previous implementation accepted plain and had a fallback to it on the token endpoint. This release hardens the OIDC server to reject plain entirely and makes PKCE mandatory, closing a path for authorization code interception attacks.
Technical notes
Breaking change: Authorization codes issued before this update cannot be exchanged — they will be rejected with invalid_grant. Clients must reissue them. Existing clients that send valid S256 PKCE are unaffected.
Compliance: Changes align with RFC 9700 §2.1.1 (OAuth 2.0 Security BCP) and RFC 7636 §4.2 (PKCE), which both strongly discourage plain in favor of S256.
Release Notes
PR #413 ("fix(oidc): reject 'plain' PKCE method and make PKCE mandatory") could not be merged because its changes are already present on main and the tag v0.1.7 already exists in the repository. Both OIDC route files on main already reflect the full S256-only PKCE hardening from the PR. The merge was blocked by GitHub (mergeable: false) and the release creation was blocked by a duplicate tag error. No further action is required — the security fixes are already live.