PKCE and django client

[rcludwick]

Describe the bug

Using the django client:

Passing "code_challenge" to authorize_redirect() is ignored. A new code verifier and code challenge is created anyway.

But passing "code_verifier" to authorize_access_token() works as expected.

The end result is that for the tin foil hat types that are worried about random number generation, there's no way for the django client to create their own code_verfiers for PKCE.

Error Stacks

n/a

To Reproduce

A minimal example to reproduce the behavior:

django_client.authorize_redirect(url, code_challenge="some_code_challenge")
assert django_client.framework.get_session_data(request, 'code_challenge') == "some_code_challenge"

Expected behavior

The assert should pass

A clear and concise description of what you expected to happen.

The django client should not override "code_challenge" passed into kwargs.

Environment:

• OS: Linux
• Python Version: 3.7.3
• Authlib Version: 0.14.1

Additional context

In BaseApp._create_oauth2_authorization_url(), my kwarg "code_challenge" is passed into kwargs.

But on line 170, a new code verifier is created. And then the ouath2 client create authorization url method() overwrites the code challenge that are still passed into kwargs.

[lepture]

Can you check if it works in master code? I can' see any problem in master code.

[rcludwick]

I'll see if I can get to it this today or tomorrow. Biggest problem is that I have to recreate the issue on my personal development environment.

The work around for me is to just use the code verifier that gets created from the framework.get_session_data() call. But I can see people (like me) not necessarily trusting /dev/random, and wanting a stronger way of generating a secure code verifier.

[lepture]

@rcludwick fixed in the master code.