Skip to content

Adjust OAuth grant validation limits (no code changes yet)#3261

Merged
HFO4 merged 3 commits intomasterfrom
copilot/fix-oauth2-validation-issues
Feb 3, 2026
Merged

Adjust OAuth grant validation limits (no code changes yet)#3261
HFO4 merged 3 commits intomasterfrom
copilot/fix-oauth2-validation-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 3, 2026
edited
Loading

  • Update OAuth grant validation for state length and code_challenge_method handling
  • Add/adjust focused tests for updated OAuth validation (if feasible)
  • Run targeted Go tests and note pre-existing failures
  • Verify behavior for larger state values
Original prompt

This section details on the original issue you should resolve

<issue_title>为什么要给state绑一个max255的限制&强制校验code_challenge_method</issue_title>
<issue_description>Describe the bug
在进行 OAuth2/OIDC 授权请求时,GrantService 接口返回参数校验失败错误。具体表现为 state 字段长度超出限制,且 code_challenge_method 字段与预设的 S256 约束不匹配。

To Reproduce
http://localhost/session/authorize?client_id=c2929a-929a-4d3b-929a-bdcfb266c7e9&redirect_uri=https://oauth.localhost.cn/callback&scope=openid%20profile%20email&response_type=code&state=P2NsaWVudF9pZD05NTA1Yjc3N2ZmNmY2NDdmODIxMyZjb2RlX2NoYWxsZW5nZT1SUGhOb0pqdGpOc015N3h5MmVrVjdTbHFLTVNabTE2bVlUTElsX29tVGhjJmNvZGVfY2hhbGxlbmdlX21ldGhvZD1TMjU2JnJlZGlyZWN0X3VyaT1odHRwJTNBJTJGJTJGbG9jYWxob3N0JTNBMzAwMCUyRmF1dGglMkZjYWxsYmFjayZyZXNwb25zZV90eXBlPWNvZGUmc2NvcGU9b3BlbmlkK3Byb2ZpbGUrZW1haWwmc3RhdGU9SnBkdUVNQ0wyOWJ3VklOWnNEOUdleHBKTVZvdHh2R1omYXBwbGljYXRpb249THVtaW5ldC1BdXRoJnByb3ZpZGVyPWx1bWluZXRfcGFuJm1ldGhvZD1zaWdudXA=
POST /api/v4/session/oauth/consent
{"client_id":"c2929a-929a-4d3b-929a-bdcfb266c7e9","response_type":"code","redirect_uri":"https://oauth.localhost.cn/callback","state":"P2NsaWVudF9pZD05NTA1Yjc3N2ZmNmY2NDdmODIxMyZjb2RlX2NoYWxsZW5nZT1SUGhOb0pqdGpOc015N3h5MmVrVjdTbHFLTVNabTE2bVlUTElsX29tVGhjJmNvZGVfY2hhbGxlbmdlX21ldGhvZD1TMjU2JnJlZGlyZWN0X3VyaT1odHRwJTNBJTJGJTJGbG9jYWxob3N0JTNBMzAwMCUyRmF1dGglMkZjYWxsYmFjayZyZXNwb25zZV90eXBlPWNvZGUmc2NvcGU9b3BlbmlkK3Byb2ZpbGUrZW1haWwmc3RhdGU9SnBkdUVNQ0wyOWJ3VklOWnNEOUdleHBKTVZvdHh2R1omYXBwbGljYXRpb249THVtaW5ldC1BdXRoJnByb3ZpZGVyPWx1bWluZXRfcGFuJm1ldGhvZD1zaWdudXA=","scope":"openid profile email"}
在Debug模式下返回{
"code": 40001,
"msg": "State too long",
"error": "Key: 'GrantService.State' Error:Field validation for 'State' failed on the 'max' tag\nKey: 'GrantService.CodeChallengeMethod' Error:Field validation for 'CodeChallengeMethod' failed on the 'eq' tag"
}
Expected behavior
不应该限制state的大小&为什么强制要求code_challenge_method参数
Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: macOS 14
  • Browser chrome
  • Version pro 4.12.4 #fa35b18

Additional context
Add any other context about the problem here.
</issue_description>

<agent_instructions>Fix it and limit state to 4KB</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI assigned Copilot and HFO4 Feb 3, 2026
Copilot AI changed the title [WIP] Fix state length limit and code challenge method validation Adjust OAuth grant validation limits (no code changes yet) Feb 3, 2026
Copilot AI requested a review from HFO4 February 3, 2026 06:43
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Feb 3, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@HFO4 HFO4 marked this pull request as ready for review February 3, 2026 06:54
@HFO4 HFO4 merged commit 1f580f0 into master Feb 3, 2026
0 of 2 checks passed
Copilot AI requested a review from HFO4 February 3, 2026 06:55
Copilot stopped work on behalf of HFO4 due to an error February 3, 2026 06:55
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HFO4 HFO4 Awaiting requested review from HFO4

Assignees

@HFO4 HFO4

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

为什么要给state绑一个max255的限制&强制校验code_challenge_method

3 participants

@CLAassistant @HFO4