also supported by google oidc -- code_challenge_methods_supported per https://accounts.google.com/.well-known/openid-configuration
[server][auth] add OIDC PKCE support #13
gbw/phylum:add_pkce_support into main Great work! Definitely nice to support more secure standards.
What would happen if a provider doesn't support this challenge method? Is it the client's responsibility to ensure support or is it backwards compatible by default? My guess is the former but I'm not sure.
if the IDP followed rfc 6749, then "The authorization server MUST ignore unrecognized request parameters." however there's no guarantees that every IDP does so.
i did a quick check of some IDPs listed here and almost all of them do support pkce. i can see three potential options:
- accept it as is
- check the well-known endpoint for capabilities (specifically look for code_challenge_methods_supported and S256)
- add a config variable for it
I was thinking more along the lines of 2, but I think it's more work than it's worth at this point
I was thinking more along the lines of 2, but I think it's more work than it's worth at this point
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?