Code verifier expire during login on IdP when using PKCE #110
Description
When Nginx redirects the user to the authorization endpoint of the IdP, a code challenge is created and used as a parameter in the browser redirect.
After the user has logged in, we sometimes see the error:
"OIDC error from IdP when sending authorization code: invalid_request, Invalid request: Illegal code verifier: The code verifier must be at least 43 characters" from the IdP and a failed login.
The code verifier is stored in Nginx and configured in the plugin:
keyval_zone zone=oidc_pkce:128K timeout=90s; # Temporary storage for PKCE code verifier.
If the authorization with the IdP takes more than 90 seconds, values in "oidc_pkce" will time out and code verifier will not be avaliable when Nginx tries to fetch the token from the token endpoint. 90 seconds is easily spend on the IdP if the user needs to use some kind of MFA or other time consuming mechiansms.
I propose two fixes:
- Better logging. If a code verifier is expeced, but not present, there should be good logs making it easy to debug the error.
- Configurable timeout. 90 seconds is sufficient for some login scenarios, but others may take up to 10 minutes.