Hello all,
I’m new to the oauth2-basic plugin and after reading the docs and source code, I cannot find an answer to my question.
- Does the oauth2-basic plugin support pkce?
- If so, how can I enable that?
- If not, how might I modify the oauth2-basic plugin code to use pkce?
The omniauth github page README says that I should be able to set the pkce option to true in my omniauth strategy. However, I have attempted this change in the oauth2-basic plugin code and no code challenge is being sent to my authorize_url. Any suggestions?
Thanks in advance
2 Likes
Bumping this as a community I assist is requesting support for PKCE.
Prior to being asked about it, I hadn’t yet seen anything about this, but looking through documentation for it it seems the primary driver for this is native apps and SPAs:
Native apps
- Cannot securely store a Client Secret. Decompiling the app will reveal the Client Secret, which is bound to the app and is the same for all users and devices
- May make use of a custom URL scheme to capture redirects (e.g., MyApp://) potentially allowing malicious applications to receive an Authorization Code from your Authorization Server
Single-page apps
- Cannot securely store a Client Secret because their entire source is available to the browser
Neither of which is applicable to this situation; it’s the Discourse server that holds the secret.
