core: Sanitizes request body before sending it to the storage adapter (…

…#258)

This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to potential storage implementations. This library used to pass
all of the request body from both authorize and token endpoints to the storage adapters. As some of these values
are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused,
with the addition of enabling POST-body based client authentication, the client secret to be leaked.

The issue has been resolved by sanitizing the request body and only including those values truly required by their
respective handlers. This lead to two breaking changes in the API:

1. The `fosite.Requester` interface has a new method `Sanitize(allowedParameters []string) Requester` which returns
a sanitized clone of the method receiver. If you do not use your own `fosite.Requester` implementation, this won't affect you.
2. If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods
to be added work exactly like, for example `CreateAuthorizeCodeSession`. The method signatures are as follows:
```go
type PKCERequestStorage interface {
	GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
	CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
	DeletePKCERequestSession(ctx context.Context, signature string) error
}
```

We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.

We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the development of a patch that resolves this
issue.

HISTORY.md

@@ -5,6 +5,8 @@ bumps (`0.1.0` -> `0.2.0`).
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
 
+- [0.17.0](#0170)
+- [0.16.0](#0160)
 - [0.15.0](#0150)
 - [0.14.0](#0140)
 - [0.13.0](#0130)
@@ -39,6 +41,37 @@ bumps (`0.1.0` -> `0.2.0`).
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
+## 0.17.0
+
+This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to potential storage implementations.
+This library used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values
+are needed in consecutive requests, some storage adapters chose to drop the full body to the database.
+
+This implied that confidential parameters, such as the `client_secret` which can be passed in the request body since
+version 0.15.0, were stored as key/value pairs in plaintext in the database. While most client secrets are generated
+programmatically (as opposed to set by the user), it's a considerable security issue nonetheless.
+
+The issue has been resolved by sanitizing the request body and only including those values truly required by their
+respective handlers. This lead to two breaking changes in the API:
+
+1. The `fosite.Requester` interface has a new method `Sanitize(allowedParameters []string) Requester` which returns
+a sanitized clone of the method receiver. If you do not use your own `fosite.Requester` implementation, this won't affect you.
+2. If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods
+to be added work exactly like, for example `CreateAuthorizeCodeSession`. A reference implementation can be found in
+[./storage/memory.go](./storage/memory.go). The method signatures are as follows:
+```go
+type PKCERequestStorage interface {
+	GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
+	CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
+	DeletePKCERequestSession(ctx context.Context, signature string) error
+}
+```
+
+We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.
+
+We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the development of a patch that resolves this
+issue.
+
 ## 0.16.0
 
 This patch introduces `SendDebugMessagesToClients` to the Fosite struct which enables/disables sending debug information to

compose/compose_pkce.go

@@ -30,7 +30,7 @@ import (
 func OAuth2PKCEFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
 	return &pkce.Handler{
 		AuthorizeCodeStrategy: strategy.(oauth2.AuthorizeCodeStrategy),
-		CoreStorage:           storage.(oauth2.CoreStorage),
+		Storage:               storage.(pkce.PKCERequestStorage),
 		Force:                 config.EnforcePKCE,
 		EnablePlainChallengeMethod: config.EnablePKCEPlainChallengeMethod,
 	}

generate-mocks.sh

@@ -15,6 +15,7 @@ mockgen -package internal -destination internal/access_token_strategy.go github.
 mockgen -package internal -destination internal/refresh_token_strategy.go github.com/ory/fosite/handler/oauth2 RefreshTokenStrategy
 mockgen -package internal -destination internal/authorize_code_strategy.go github.com/ory/fosite/handler/oauth2 AuthorizeCodeStrategy
 mockgen -package internal -destination internal/id_token_strategy.go github.com/ory/fosite/handler/openid OpenIDConnectTokenStrategy
+mockgen -package internal -destination internal/pkce_storage_strategy.go github.com/ory/fosite/handler/pkce PKCERequestStorage
 mockgen -package internal -destination internal/authorize_handler.go github.com/ory/fosite AuthorizeEndpointHandler
 mockgen -package internal -destination internal/revoke_handler.go github.com/ory/fosite RevocationHandler
 mockgen -package internal -destination internal/token_handler.go github.com/ory/fosite TokenEndpointHandler

handler/oauth2/flow_authorize_code_auth.go

@@ -49,6 +49,10 @@ type AuthorizeExplicitGrantHandler struct {
 	AccessTokenLifespan time.Duration
 
 	ScopeStrategy fosite.ScopeStrategy
+
+	// SanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values
+	// are safe for storage in a database (cleartext).
+	SanitationWhiteList []string
 }
 
 func (c *AuthorizeExplicitGrantHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
@@ -82,7 +86,7 @@ func (c *AuthorizeExplicitGrantHandler) IssueAuthorizeCode(ctx context.Context,
 	}
 
 	ar.GetSession().SetExpiresAt(fosite.AuthorizeCode, time.Now().UTC().Add(c.AuthCodeLifespan))
-	if err := c.CoreStorage.CreateAuthorizeCodeSession(ctx, signature, ar); err != nil {
+	if err := c.CoreStorage.CreateAuthorizeCodeSession(ctx, signature, ar.Sanitize(c.GetSanitationWhiteList())); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	}
 
@@ -92,3 +96,13 @@ func (c *AuthorizeExplicitGrantHandler) IssueAuthorizeCode(ctx context.Context,
 	ar.SetResponseTypeHandled("code")
 	return nil
 }
+
+func (c *AuthorizeExplicitGrantHandler) GetSanitationWhiteList() []string {
+	if len(c.SanitationWhiteList) > 0 {
+		return c.SanitationWhiteList
+	}
+	return []string{
+		"code",
+		"redirect_uri",
+	}
+}

handler/oauth2/flow_authorize_code_token.go

@@ -135,10 +135,10 @@ func (c *AuthorizeExplicitGrantHandler) PopulateTokenEndpointResponse(ctx contex
 
 	if err := c.CoreStorage.DeleteAuthorizeCodeSession(ctx, signature); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
-	} else if err := c.CoreStorage.CreateAccessTokenSession(ctx, accessSignature, requester); err != nil {
+	} else if err := c.CoreStorage.CreateAccessTokenSession(ctx, accessSignature, requester.Sanitize([]string{})); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	} else if refreshSignature != "" {
-		if err := c.CoreStorage.CreateRefreshTokenSession(ctx, refreshSignature, requester); err != nil {
+		if err := c.CoreStorage.CreateRefreshTokenSession(ctx, refreshSignature, requester.Sanitize([]string{})); err != nil {
 			return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 		}
 	}

handler/oauth2/flow_authorize_implicit.go

@@ -84,7 +84,7 @@ func (c *AuthorizeImplicitGrantTypeHandler) IssueImplicitAccessToken(ctx context
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	}
 
-	if err := c.AccessTokenStorage.CreateAccessTokenSession(ctx, signature, ar); err != nil {
+	if err := c.AccessTokenStorage.CreateAccessTokenSession(ctx, signature, ar.Sanitize([]string{})); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	}
 

handler/oauth2/flow_authorize_implicit_test.go

@@ -77,7 +77,7 @@ func TestAuthorizeImplicit_EndpointHandler(t *testing.T) {
 			description: "should fail because persistence failed",
 			setup: func() {
 				chgen.EXPECT().GenerateAccessToken(nil, areq).AnyTimes().Return("access.ats", "ats", nil)
-				store.EXPECT().CreateAccessTokenSession(nil, "ats", areq).Return(errors.New(""))
+				store.EXPECT().CreateAccessTokenSession(nil, "ats", gomock.Eq(areq.Sanitize([]string{}))).Return(errors.New(""))
 			},
 			expectErr: fosite.ErrServerError,
 		},
@@ -87,7 +87,7 @@ func TestAuthorizeImplicit_EndpointHandler(t *testing.T) {
 				areq.State = "state"
 				areq.GrantedScopes = fosite.Arguments{"scope"}
 
-				store.EXPECT().CreateAccessTokenSession(nil, "ats", areq).AnyTimes().Return(nil)
+				store.EXPECT().CreateAccessTokenSession(nil, "ats", gomock.Eq(areq.Sanitize([]string{}))).AnyTimes().Return(nil)
 
 				aresp.EXPECT().AddFragment("access_token", "access.ats")
 				aresp.EXPECT().AddFragment("expires_in", gomock.Any())

handler/oauth2/flow_client_credentials_test.go

@@ -131,7 +131,7 @@ func TestClientCredentials_PopulateTokenEndpointResponse(t *testing.T) {
 				areq.Session = &fosite.DefaultSession{}
 				areq.Client = &fosite.DefaultClient{GrantTypes: fosite.Arguments{"client_credentials"}}
 				chgen.EXPECT().GenerateAccessToken(nil, areq).Return("tokenfoo.bar", "bar", nil)
-				store.EXPECT().CreateAccessTokenSession(nil, "bar", areq).Return(nil)
+				store.EXPECT().CreateAccessTokenSession(nil, "bar", gomock.Eq(areq.Sanitize([]string{}))).Return(nil)
 			},
 		},
 	} {

handler/oauth2/flow_refresh.go

@@ -107,9 +107,9 @@ func (c *RefreshTokenGrantHandler) PopulateTokenEndpointResponse(ctx context.Con
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	} else if err := c.TokenRevocationStorage.RevokeRefreshToken(ctx, ts.GetID()); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
-	} else if err := c.TokenRevocationStorage.CreateAccessTokenSession(ctx, accessSignature, requester); err != nil {
+	} else if err := c.TokenRevocationStorage.CreateAccessTokenSession(ctx, accessSignature, requester.Sanitize([]string{})); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
-	} else if err := c.TokenRevocationStorage.CreateRefreshTokenSession(ctx, refreshSignature, requester); err != nil {
+	} else if err := c.TokenRevocationStorage.CreateRefreshTokenSession(ctx, refreshSignature, requester.Sanitize([]string{})); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	}
 

handler/oauth2/flow_resource_owner.go

@@ -89,7 +89,7 @@ func (c *ResourceOwnerPasswordCredentialsGrantHandler) PopulateTokenEndpointResp
 		refresh, refreshSignature, err = c.RefreshTokenStrategy.GenerateRefreshToken(ctx, requester)
 		if err != nil {
 			return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
-		} else if err := c.ResourceOwnerPasswordCredentialsGrantStorage.CreateRefreshTokenSession(ctx, refreshSignature, requester); err != nil {
+		} else if err := c.ResourceOwnerPasswordCredentialsGrantStorage.CreateRefreshTokenSession(ctx, refreshSignature, requester.Sanitize([]string{})); err != nil {
 			return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 		}
 	}

handler/oauth2/flow_resource_owner_test.go

@@ -150,7 +150,7 @@ func TestResourceOwnerFlow_PopulateTokenEndpointResponse(t *testing.T) {
 				areq.Session = &fosite.DefaultSession{}
 				areq.GrantTypes = fosite.Arguments{"password"}
 				chgen.EXPECT().GenerateAccessToken(nil, areq).Return(mockAT, "bar", nil)
-				store.EXPECT().CreateAccessTokenSession(nil, "bar", areq).Return(nil)
+				store.EXPECT().CreateAccessTokenSession(nil, "bar", gomock.Eq(areq.Sanitize([]string{}))).Return(nil)
 			},
 			expect: func() {
 				assert.Nil(t, aresp.GetExtra("refresh_token"), "unexpected refresh token")
@@ -162,9 +162,9 @@ func TestResourceOwnerFlow_PopulateTokenEndpointResponse(t *testing.T) {
 				areq.GrantTypes = fosite.Arguments{"password"}
 				areq.GrantScope("offline")
 				rtstr.EXPECT().GenerateRefreshToken(nil, areq).Return(mockRT, "bar", nil)
-				store.EXPECT().CreateRefreshTokenSession(nil, "bar", areq).Return(nil)
+				store.EXPECT().CreateRefreshTokenSession(nil, "bar", gomock.Eq(areq.Sanitize([]string{}))).Return(nil)
 				chgen.EXPECT().GenerateAccessToken(nil, areq).Return(mockAT, "bar", nil)
-				store.EXPECT().CreateAccessTokenSession(nil, "bar", areq).Return(nil)
+				store.EXPECT().CreateAccessTokenSession(nil, "bar", gomock.Eq(areq.Sanitize([]string{}))).Return(nil)
 			},
 			expect: func() {
 				assert.NotNil(t, aresp.GetExtra("refresh_token"), "expected refresh token")

handler/oauth2/helper.go

@@ -39,7 +39,7 @@ func (h *HandleHelper) IssueAccessToken(ctx context.Context, requester fosite.Ac
 	token, signature, err := h.AccessTokenStrategy.GenerateAccessToken(ctx, requester)
 	if err != nil {
 		return err
-	} else if err := h.AccessTokenStorage.CreateAccessTokenSession(ctx, signature, requester); err != nil {
+	} else if err := h.AccessTokenStorage.CreateAccessTokenSession(ctx, signature, requester.Sanitize([]string{})); err != nil {
 		return err
 	}
 

handler/oauth2/helper_test.go

@@ -71,14 +71,14 @@ func TestIssueAccessToken(t *testing.T) {
 		{
 			mock: func() {
 				accessStrat.EXPECT().GenerateAccessToken(nil, areq).Return("token", "signature", nil)
-				accessStore.EXPECT().CreateAccessTokenSession(nil, "signature", areq).Return(errors.New(""))
+				accessStore.EXPECT().CreateAccessTokenSession(nil, "signature", gomock.Eq(areq.Sanitize([]string{}))).Return(errors.New(""))
 			},
 			err: errors.New(""),
 		},
 		{
 			mock: func() {
 				accessStrat.EXPECT().GenerateAccessToken(nil, areq).Return("token", "signature", nil)
-				accessStore.EXPECT().CreateAccessTokenSession(nil, "signature", areq).Return(nil)
+				accessStore.EXPECT().CreateAccessTokenSession(nil, "signature", gomock.Eq(areq.Sanitize([]string{}))).Return(nil)
 			},
 			err: nil,
 		},

handler/openid/flow_explicit_auth.go

@@ -35,6 +35,14 @@ type OpenIDConnectExplicitHandler struct {
 	*IDTokenHandleHelper
 }
 
+var oidcParameters = []string{"grant_type",
+	"max_age",
+	"prompt",
+	"acr_values",
+	"id_token_hint",
+	"nonce",
+}
+
 func (c *OpenIDConnectExplicitHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
 	if !(ar.GetGrantedScopes().Has("openid") && ar.GetResponseTypes().Exact("code")) {
 		return nil
@@ -48,7 +56,7 @@ func (c *OpenIDConnectExplicitHandler) HandleAuthorizeEndpointRequest(ctx contex
 		return errors.WithStack(fosite.ErrMisconfiguration.WithDebug("Authorization code has not been issued yet"))
 	}
 
-	if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, resp.GetCode(), ar); err != nil {
+	if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, resp.GetCode(), ar.Sanitize(oidcParameters)); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	}
 

handler/openid/flow_explicit_auth_test.go

@@ -88,14 +88,14 @@ func TestExplicit_HandleAuthorizeEndpointRequest(t *testing.T) {
 			description: "should fail because lookup fails",
 			setup: func() {
 				aresp.EXPECT().GetCode().AnyTimes().Return("codeexample")
-				store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", areq).Return(errors.New(""))
+				store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", gomock.Eq(areq.Sanitize(oidcParameters))).Return(errors.New(""))
 			},
 			expectErr: fosite.ErrServerError,
 		},
 		{
 			description: "should pass",
 			setup: func() {
-				store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", areq).AnyTimes().Return(nil)
+				store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", gomock.Eq(areq.Sanitize(oidcParameters))).AnyTimes().Return(nil)
 			},
 		},
 	} {

handler/openid/flow_hybrid.go

@@ -80,7 +80,7 @@ func (c *OpenIDConnectHybridHandler) HandleAuthorizeEndpointRequest(ctx context.
 		code, signature, err := c.AuthorizeExplicitGrantHandler.AuthorizeCodeStrategy.GenerateAuthorizeCode(ctx, ar)
 		if err != nil {
 			return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
-		} else if err := c.AuthorizeExplicitGrantHandler.CoreStorage.CreateAuthorizeCodeSession(ctx, signature, ar); err != nil {
+		} else if err := c.AuthorizeExplicitGrantHandler.CoreStorage.CreateAuthorizeCodeSession(ctx, signature, ar.Sanitize(c.AuthorizeExplicitGrantHandler.GetSanitationWhiteList())); err != nil {
 			return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 		}
 

handler/pkce/handler.go

@@ -39,7 +39,7 @@ type Handler struct {
 	EnablePlainChallengeMethod bool
 
 	AuthorizeCodeStrategy oauth2.AuthorizeCodeStrategy
-	CoreStorage           oauth2.CoreStorage
+	Storage               PKCERequestStorage
 }
 
 func (c *Handler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
@@ -54,7 +54,24 @@ func (c *Handler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.
 
 	challenge := ar.GetRequestForm().Get("code_challenge")
 	method := ar.GetRequestForm().Get("code_challenge_method")
-	return c.validate(challenge, method)
+	if err := c.validate(challenge, method); err != nil {
+		return err
+	}
+
+	code := resp.GetCode()
+	if len(code) == 0 {
+		return errors.WithStack(fosite.ErrServerError.WithDebug("The PKCE handler must be loaded after the authorize code handler"))
+	}
+
+	signature := c.AuthorizeCodeStrategy.AuthorizeCodeSignature(code)
+	if err := c.Storage.CreatePKCERequestSession(ctx, signature, ar.Sanitize([]string{
+		"code_challenge",
+		"code_challenge_method",
+	})); err != nil {
+		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
+	}
+
+	return nil
 }
 
 func (c *Handler) validate(challenge, method string) error {
@@ -101,7 +118,6 @@ func (c *Handler) validate(challenge, method string) error {
 }
 
 func (c *Handler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error {
-	// This let's us define multiple response types, for example open id connect's id_token
 	if !request.GetGrantTypes().Exact("authorization_code") {
 		return errors.WithStack(fosite.ErrUnknownRequest)
 	}
@@ -112,8 +128,14 @@ func (c *Handler) HandleTokenEndpointRequest(ctx context.Context, request fosite
 
 	code := request.GetRequestForm().Get("code")
 	signature := c.AuthorizeCodeStrategy.AuthorizeCodeSignature(code)
-	authorizeRequest, err := c.CoreStorage.GetAuthorizeCodeSession(ctx, signature, request.GetSession())
-	if err != nil {
+	authorizeRequest, err := c.Storage.GetPKCERequestSession(ctx, signature, request.GetSession())
+	if errors.Cause(err) == fosite.ErrNotFound {
+		return errors.WithStack(fosite.ErrInvalidGrant.WithDescription("Unable to find initial PKCE data tied to this request").WithDebug(err.Error()))
+	} else if err != nil {
+		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
+	}
+
+	if err := c.Storage.DeletePKCERequestSession(ctx, signature); err != nil {
 		return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
 	}
 

handler/pkce/handler_test.go

@@ -29,6 +29,7 @@ import (
 	"testing"
 
 	"github.com/ory/fosite"
+	"github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/storage"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -51,12 +52,17 @@ func (m *mockCodeStrategy) ValidateAuthorizeCode(ctx context.Context, requester
 }
 
 func TestPKCEHandleAuthorizeEndpointRequest(t *testing.T) {
-	h := &Handler{}
+	h := &Handler{
+		Storage:               storage.NewMemoryStore(),
+		AuthorizeCodeStrategy: new(oauth2.HMACSHAStrategy),
+	}
 	w := fosite.NewAuthorizeResponse()
 	r := fosite.NewAuthorizeRequest()
 	c := &fosite.DefaultClient{}
 	r.Client = c
 
+	w.AddQuery("code", "foo")
+
 	r.Form.Add("code_challenge", "challenge")
 	r.Form.Add("code_challenge_method", "plain")
 
@@ -86,7 +92,7 @@ func TestPKCEHandlerValidate(t *testing.T) {
 	s := storage.NewMemoryStore()
 	ms := &mockCodeStrategy{}
 	h := &Handler{
-		CoreStorage: s, AuthorizeCodeStrategy: ms,
+		Storage: s, AuthorizeCodeStrategy: ms,
 	}
 	pc := &fosite.DefaultClient{Public: true}
 
@@ -121,7 +127,7 @@ func TestPKCEHandlerValidate(t *testing.T) {
 		{
 			d:         "fails because invalid code",
 			grant:     "authorization_code",
-			expectErr: fosite.ErrServerError,
+			expectErr: fosite.ErrInvalidGrant,
 			client:    pc,
 			code:      "invalid-code-2",
 		},
@@ -221,7 +227,7 @@ func TestPKCEHandlerValidate(t *testing.T) {
 			ar := fosite.NewAuthorizeRequest()
 			ar.Form.Add("code_challenge", tc.challenge)
 			ar.Form.Add("code_challenge_method", tc.method)
-			require.NoError(t, s.CreateAuthorizeCodeSession(nil, fmt.Sprintf("valid-code-%d", k), ar))
+			require.NoError(t, s.CreatePKCERequestSession(nil, fmt.Sprintf("valid-code-%d", k), ar))
 
 			r := fosite.NewAccessRequest(nil)
 			r.Client = tc.client