Skip to content

Require PKCE for native OAuth auth codes#7983

Open
tianmind-studio wants to merge 1 commit into
BasedHardware:mainfrom
tianmind-studio:codex/auth-pkce-native-callback
Open

Require PKCE for native OAuth auth codes#7983
tianmind-studio wants to merge 1 commit into
BasedHardware:mainfrom
tianmind-studio:codex/auth-pkce-native-callback

Conversation

@tianmind-studio

@tianmind-studio tianmind-studio commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • require S256 PKCE on /v1/auth/authorize and verify code_verifier during /v1/auth/token for new native-app auth codes
  • send PKCE parameters from Flutter web auth/link flows, macOS desktop auth, and the Python CLI loopback browser flow
  • add backend PKCE regression coverage, CLI OAuth tests, and a short CLI docs note

Fixes #7692

Current status

  • Rebased on main at 1a5824403b68ce47c3b0909577cadc1242ba0d3f
  • Head refreshed to ceef4143d162c7f0371b3f9fb85425b0c9965a05
  • GitHub currently reports the PR as mergeable
  • CI follow-up: formatted app/lib/services/auth_service.dart using the project language-version behavior that GitHub Actions sees after flutter pub get, fixing the previous Dart formatting failure on the PR merge ref

Tests

  • D:\codex-omi-work\.venvs\omi-backend-vad-refresh\Scripts\python.exe -m pytest backend/tests/unit/test_auth_redirect_uri.py -q --tb=short
    • 55 passed, 3 skipped, 15 warnings
  • D:\codex-omi-work\.venvs\omi-backend-vad-refresh\Scripts\python.exe -m pytest sdks/python-cli/tests/test_auth_oauth.py -q --tb=short
    • 19 passed
  • D:\codex-omi-work\.venvs\omi-backend-vad-refresh\Scripts\python.exe -m py_compile backend/routers/auth.py sdks/python-cli/omi_cli/auth/oauth.py backend/tests/unit/test_auth_redirect_uri.py sdks/python-cli/tests/test_auth_oauth.py
  • D:\codex-omi-work\.tools\dart-sdk\bin\dart.exe format --language-version=3.0 --line-length 120 --set-exit-if-changed --output=none app/lib/services/auth_service.dart
    • Formatted 1 file (0 changed)
  • GitHub Actions-equivalent Dart check via Git Bash with local ignored app/.dart_tool/package_config.json
    • Formatted 1 file (0 changed). Dart still reports a flutter_lints package-resolution warning because app package dependencies are not installed in this Windows worktree.
  • git diff --check origin/main...HEAD and git diff --check
  • scripts/pre-commit with local Dart SDK and backend Windows venv on PATH

Not run: Flutter analyze/tests and macOS xcrun swift build are unavailable from this Windows environment.

@tianmind-studio tianmind-studio mentioned this pull request Jun 17, 2026
Closed
@tianmind-studio tianmind-studio force-pushed the codex/auth-pkce-native-callback branch from a08e49d to 4bfd3fa Compare June 17, 2026 09:01
@tianmind-studio tianmind-studio force-pushed the codex/auth-pkce-native-callback branch from 4bfd3fa to ceef414 Compare June 17, 2026 09:34
kodjima33
kodjima33 approved these changes Jun 17, 2026
View reviewed changes

@kodjima33 kodjima33 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security hardening (PKCE for native OAuth) — approve; touches auth, Nik to land

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodjima33 kodjima33 kodjima33 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing PKCE in OAuth Flow (Authorization Code Interception Risk)

2 participants

@tianmind-studio @kodjima33