Skip to content

feat(openidConnect): auto-detect and apply PKCE from OIDC discovery#640

Open
peyremorgan wants to merge 2 commits intomarkbates:masterfrom
peyremorgan:feat/oidc-pkce-auto-algo
Open

feat(openidConnect): auto-detect and apply PKCE from OIDC discovery#640
peyremorgan wants to merge 2 commits intomarkbates:masterfrom
peyremorgan:feat/oidc-pkce-auto-algo

Conversation

@peyremorgan
Copy link
Copy Markdown

@peyremorgan peyremorgan commented Apr 23, 2026

When the OIDC discovery document advertises code_challenge_methods_supported, the provider now automatically:

  • Selects the best method (S256 preferred over plain per RFC 7636 §4.2)
  • Generates a cryptographically random code_verifier on each BeginAuth call
  • Computes the code_challenge and injects it into the authorization URL
  • Stores the code_verifier in the Session for use at token exchange
  • Uses the stored verifier in Authorize(), falling back to the legacy code_verifier query param for backward compatibility

If code_challenge_methods_supported is absent or empty, PKCE is not applied.

Fixes #639

@peyremorgan
feat(openidConnect): auto-detect and apply PKCE from OIDC discovery
61ba8ed 
When the OIDC discovery document advertises code_challenge_methods_supported,
the provider now automatically:
- Selects the best method (S256 preferred over plain per RFC 7636 §4.2)
- Generates a cryptographically random code_verifier on each BeginAuth call
- Computes the code_challenge and injects it into the authorization URL
- Stores the code_verifier in the Session for use at token exchange
- Uses the stored verifier in Authorize(), falling back to the legacy
  code_verifier query param for backward compatibility

If code_challenge_methods_supported is absent or empty, PKCE is not applied.
@peyremorgan peyremorgan marked this pull request as draft April 23, 2026 12:46
@peyremorgan peyremorgan marked this pull request as draft April 23, 2026 12:46
@peyremorgan
Copy link
Copy Markdown
Author

peyremorgan commented Apr 23, 2026

Okay, marking this as WIP because #636 uses another approach (imports "golang.org/x/oauth2") and I think we should converge on a single implementation style for both.

@peyremorgan
refactor(openidConnect): use golang.org/x/oauth2 built-in PKCE functions
efb752a 
Replace custom generateCodeVerifier and generateS256Challenge helpers with
oauth2.GenerateVerifier(), oauth2.S256ChallengeOption(), oauth2.VerifierOption(),
and oauth2.S256ChallengeFromVerifier() from golang.org/x/oauth2 v0.30.0.
@peyremorgan peyremorgan marked this pull request as ready for review April 23, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

openidConnect: auto-configure PKCE based on the contents of the discovery document

1 participant

@peyremorgan