Re: [PR] CXF-9216 - Switch default OAuth2 code verifier to Digest [cxf]

via GitHub Thu, 21 May 2026 06:02:22 -0700


coheigea commented on code in PR #3132:
URL: https://github.com/apache/cxf/pull/3132#discussion_r3281334419



##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java:
##########
@@ -173,9 +173,9 @@ private boolean compareCodeVerifierWithChallenge(Client c, 
String clientCodeVeri
                     return false;
                 }
             }
-            // Fall back to plain
+            // Fall back to digest
             if (codeVerifierTransformer == null) {
-                codeVerifierTransformer = new PlainCodeVerifier();
+                codeVerifierTransformer = new DigestCodeVerifier();

Review Comment:
   @reta I've made the default code verifier configurable on the class. 
PlainCodeVerifier can still be plugged in to the class, so I think we can keep 
it for now.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] CXF-9216 - Switch default OAuth2 code verifier to Digest [cxf]

Reply via email to