Feature request
My understanding is OAuth 2.1 will require PKCE, and this is the default mechanism for Keycloak and Zitadel.
https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 contains the detailed spec, but the gist is to generate a random code_verifier value and a hashed code_challenge in lieu of storing a client secret in the app.
My expedient solution is to modify runOAuth2, authorizationUrl and tokenParams in a local fork and add crypton as a dependency but that's probably invasive for any existing users of the library.
Feature request
My understanding is OAuth 2.1 will require PKCE, and this is the default mechanism for Keycloak and Zitadel.
https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 contains the detailed spec, but the gist is to generate a random
code_verifiervalue and a hashedcode_challengein lieu of storing a client secret in the app.My expedient solution is to modify
runOAuth2,authorizationUrlandtokenParamsin a local fork and add crypton as a dependency but that's probably invasive for any existing users of the library.