Fix PKCE Client Provile & RedirectUri Mismatch

mckaragoz · mckaragoz · commit 172a523bd9e5 · 2026-03-24T01:35:25.000+03:00
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -107,9 +107,9 @@ public async Task<IResult> TryCompleteAsync(HttpContext ctx)
             artifact,
             request.CodeVerifier,
             new PkceContextSnapshot(
-                clientProfile: authContext.ClientProfile,
-                tenant: authContext.Tenant,
-                redirectUri: null,
+                clientProfile: artifact.Context.ClientProfile,
+                tenant: artifact.Context.Tenant,
+                redirectUri: artifact.Context.RedirectUri,
                 device: artifact.Context.Device),
             _clock.UtcNow);
 
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs
@@ -25,9 +25,8 @@ public PkceValidationResult Validate(PkceAuthorizationArtifact artifact, string
 
     private static bool IsContextValid(PkceContextSnapshot original, PkceContextSnapshot completion)
     {
-        // TODO: Fix this
-        //if (!original.ClientProfile.Equals(completion.ClientProfile))
-        //    return false;
+        if (!original.ClientProfile.Equals(completion.ClientProfile))
+            return false;
 
         if (!string.Equals(original.Tenant, completion.Tenant, StringComparison.Ordinal))
             return false;
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
@@ -82,9 +82,9 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
             artifact,
             request.CodeVerifier,
             new PkceContextSnapshot(
-                clientProfile: auth.ClientProfile,
-                tenant: auth.Tenant,
-                redirectUri: null,
+                clientProfile: artifact.Context.ClientProfile,
+                tenant: artifact.Context.Tenant,
+                redirectUri: artifact.Context.RedirectUri,
                 device: artifact.Context.Device),
             _clock.UtcNow);
 
@@ -132,7 +132,7 @@ public async Task<HubCredentials> RefreshAsync(HubFlowArtifact hub, Cancellation
         var snapshot = new PkceContextSnapshot(
             clientProfile: hub.ClientProfile,
             tenant: hub.Tenant,
-            redirectUri: null,
+            redirectUri: hub.ReturnUrl,
             device: device
         );
 
