Skip to content

PKCE support for OAuth2 #182

Description

@feature-not-a-bug

Feature request

My understanding is OAuth 2.1 will require PKCE, and this is the default mechanism for Keycloak and Zitadel.

https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 contains the detailed spec, but the gist is to generate a random code_verifier value and a hashed code_challenge in lieu of storing a client secret in the app.

My expedient solution is to modify runOAuth2, authorizationUrl and tokenParams in a local fork and add crypton as a dependency but that's probably invasive for any existing users of the library.

Metadata

Metadata

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions