diff --git a/oauth2_http/java/com/google/auth/oauth2/DefaultPKCEProvider.java b/oauth2_http/java/com/google/auth/oauth2/DefaultPKCEProvider.java index d4671dbe2..33e3a3fc7 100644 --- a/oauth2_http/java/com/google/auth/oauth2/DefaultPKCEProvider.java +++ b/oauth2_http/java/com/google/auth/oauth2/DefaultPKCEProvider.java @@ -90,7 +90,7 @@ private class CodeChallenge { byte[] digest = md.digest(); - this.codeChallenge = Base64.getUrlEncoder().encodeToString(digest); + this.codeChallenge = Base64.getUrlEncoder().encodeToString(digest).replace("=", ""); this.codeChallengeMethod = "S256"; } catch (NoSuchAlgorithmException e) { this.codeChallenge = codeVerifier; diff --git a/oauth2_http/javatests/com/google/auth/oauth2/DefaultPKCEProviderTest.java b/oauth2_http/javatests/com/google/auth/oauth2/DefaultPKCEProviderTest.java index e56739aad..4559d9bf1 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/DefaultPKCEProviderTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/DefaultPKCEProviderTest.java @@ -32,6 +32,7 @@ package com.google.auth.oauth2; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -58,4 +59,11 @@ public void testPkceExpected() throws NoSuchAlgorithmException { assertEquals(pkce.getCodeChallenge(), expectedCodeChallenge); assertEquals(pkce.getCodeChallengeMethod(), expectedCodeChallengeMethod); } + + @Test + public void testNoBase64Padding() throws NoSuchAlgorithmException { + PKCEProvider pkce = new DefaultPKCEProvider(); + assertFalse(pkce.getCodeChallenge().endsWith("=")); + assertFalse(pkce.getCodeChallenge().contains("=")); + } }