fix(oauth): enable PKCE for all clients and add token_broker to oauth_context
This commit fixes two OAuth issues in the Astrolabe app: 1. **Always use PKCE (RFC 9207)**: - PKCE is now used for all OAuth flows (public and confidential clients) - Previous code only used PKCE for public clients, causing failures - Confidential clients now use both PKCE + client_secret (defense in depth) - Nextcloud OIDC provider requires PKCE, so token exchange was failing 2. **Add token_broker to oauth_context**: - Token broker is now stored in oauth_context for management API access - Fixes "Token broker not configured" error when revoking access - Revoke endpoint needs token_broker to delete refresh tokens and invalidate cache Changes: - OAuthController.php: Always generate PKCE verifier/challenge for all clients - OAuthController.php: Always include code_verifier in token exchange - app.py: Store token_broker in oauth_context after creation Fixes: - Astrolabe OAuth flow now works with Nextcloud OIDC - Revoke/disconnect functionality now works in Astrolabe settings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Chris Coutinho
@@ -1445,6 +1445,11 @@ def get_app(transport: str = "streamable-http", enabled_apps: list[str] | None =
|
||||
client_secret=sync_client_secret,
|
||||
)
|
||||
|
||||
# Store token broker in oauth_context for management API (revoke endpoint)
|
||||
if hasattr(app.state, "oauth_context"):
|
||||
app.state.oauth_context["token_broker"] = token_broker
|
||||
logger.info("Token broker added to oauth_context for management API")
|
||||
|
||||
# Initialize Qdrant collection before starting background tasks
|
||||
logger.info("Initializing Qdrant collection...")
|
||||
from nextcloud_mcp_server.vector.qdrant_client import get_qdrant_client
|
||||
|
||||
Reference in New Issue
Block a user