feat: Add PKCE Verifier for OIDC (#2314)

* feat: add PKCE verifier for OIDC * Update CHANGELOG.md
2024-12-23 00:46:36 +08:00 · 2024-12-23 00:46:36 +08:00 · b81420bef1
commit b81420bef1
parent 9313e5b058
7 changed files with 187 additions and 15 deletions
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@ -45,6 +45,18 @@ oidc:
  allowed_users:
    - alice@example.com

+  # Optional: PKCE (Proof Key for Code Exchange) configuration
+  # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+  # by preventing authorization code interception attacks
+  # See https://datatracker.ietf.org/doc/html/rfc7636
+  pkce:
+    # Enable or disable PKCE support (default: false)
+    enabled: false
+    # PKCE method to use:
+    # - plain: Use plain code verifier
+    # - S256: Use SHA256 hashed code verifier (default, recommended)
+    method: S256
+
  # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
  # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
  # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following