🔥 Amazon PKCE 中的 code_verifier 基于 state 缓存

justauth · Aug 4, 2024 · 6859b8a · 6859b8a
1 parent b01704f
commit 6859b8a
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/src/main/java/me/zhyd/oauth/request/AuthAmazonRequest.java b/src/main/java/me/zhyd/oauth/request/AuthAmazonRequest.java
@@ -50,15 +50,16 @@ public AuthAmazonRequest(AuthConfig config, AuthStateCache authStateCache) {
      */
     @Override
     public String authorize(String state) {
+        String realState = getRealState(state);
         UrlBuilder builder = UrlBuilder.fromBaseUrl(source.authorize())
             .queryParam("client_id", config.getClientId())
             .queryParam("scope", this.getScopes(" ", true, AuthScopeUtils.getDefaultScopes(AuthAmazonScope.values())))
             .queryParam("redirect_uri", config.getRedirectUri())
             .queryParam("response_type", "code")
-            .queryParam("state", getRealState(state));
+            .queryParam("state", realState);
 
         if (config.isPkce()) {
-            String cacheKey = this.source.getName().concat(":code_verifier:").concat(config.getClientId());
+            String cacheKey = this.source.getName().concat(":code_verifier:").concat(realState);
             String codeVerifier = PkceUtil.generateCodeVerifier();
             String codeChallengeMethod = "S256";
             String codeChallenge = PkceUtil.generateCodeChallenge(codeChallengeMethod, codeVerifier);
@@ -86,7 +87,7 @@ public AuthToken getAccessToken(AuthCallback authCallback) {
         form.put("client_secret", config.getClientSecret());
 
         if (config.isPkce()) {
-            String cacheKey = this.source.getName().concat(":code_verifier:").concat(config.getClientId());
+            String cacheKey = this.source.getName().concat(":code_verifier:").concat(authCallback.getState());
             String codeVerifier = this.authStateCache.get(cacheKey);
             form.put("code_verifier", codeVerifier);
         }