Merge pull request #4175 from mrezai/fix-pkce-s256-code-challenge

KEYCLOAK-4956: Fix incorrect PKCE S256 code challenge generation

services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java

@@ -560,13 +560,9 @@ public class TokenEndpoint {
     // https://tools.ietf.org/html/rfc7636#section-4.6
     private String generateS256CodeChallenge(String codeVerifier) throws Exception {
         MessageDigest md = MessageDigest.getInstance("SHA-256");
-        md.update(codeVerifier.getBytes());
+        md.update(codeVerifier.getBytes("ISO_8859_1"));
-        StringBuilder sb = new StringBuilder();
+        byte[] digestBytes = md.digest();
-        for (byte b : md.digest()) {
+        String codeVerifierEncoded = Base64Url.encode(digestBytes);
-            String hex = String.format("%02x", b);
-            sb.append(hex);
-        }
-        String codeVerifierEncoded = Base64Url.encode(sb.toString().getBytes());
         return codeVerifierEncoded;
     }
  

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java

@@ -444,13 +444,9 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {
     
     private String generateS256CodeChallenge(String codeVerifier) throws Exception {
         MessageDigest md = MessageDigest.getInstance("SHA-256");
-        md.update(codeVerifier.getBytes());
+        md.update(codeVerifier.getBytes("ISO_8859_1"));
-        StringBuilder sb = new StringBuilder();
+        byte[] digestBytes = md.digest();
-        for (byte b : md.digest()) {
+        String codeChallenge = Base64Url.encode(digestBytes);
-            String hex = String.format("%02x", b);
-            sb.append(hex);
-        }
-        String codeChallenge = Base64Url.encode(sb.toString().getBytes());
         return codeChallenge;
     }