feat: add PKCE support for OIDC authentication #21204
Draft
+60
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds support for PKCE (Proof Key for Code Exchange) when Coder acts as an OIDC client. PKCE is an OAuth 2.0 extension that prevents authorization code interception attacks, making authentication more secure especially for public clients. ## Changes - Add `CODER_OIDC_PKCE` environment variable (default: false) - Add `--oidc-pkce` flag to enable PKCE for OIDC authentication - Modify ExtractOAuth2 middleware to: - Generate PKCE code verifier when initiating auth flow - Store verifier in HttpOnly cookie - Include code_challenge (S256) in authorization request - Pass code_verifier during token exchange - Update all ExtractOAuth2 call sites with pkceEnabled parameter ## Configuration To enable PKCE for OIDC authentication: ```bash export CODER_OIDC_PKCE=true ``` Or via CLI: ```bash coder server --oidc-pkce ``` ## Security - Uses S256 challenge method (SHA256 hash of verifier) - Verifier stored in HttpOnly cookie for CSRF protection - Compatible with all major IdPs that support PKCE (Okta, Azure AD, Keycloak, etc.) Related: RFC 7636 - Proof Key for Code Exchange
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This adds support for PKCE (Proof Key for Code Exchange) when Coder acts as an OIDC client. PKCE is an OAuth 2.0 extension (RFC 7636) that prevents authorization code interception attacks, making authentication more secure especially for public clients.
Problem
Some identity providers require or strongly recommend PKCE for OAuth2/OIDC flows. Without PKCE support, Coder cannot authenticate with these IdPs.
Changes
CODER_OIDC_PKCEenvironment variable (default: false)--oidc-pkceflag to enable PKCE for OIDC authenticationOAuth2PKCECookieconstant for storing the PKCE verifierExtractOAuth2middleware to:code_challenge(S256) in authorization requestcode_verifierduring token exchangeExtractOAuth2call sites withpkceEnabledparameterConfiguration
To enable PKCE for OIDC authentication:
export CODER_OIDC_PKCE=trueOr via CLI:
Implementation Details
golang.org/x/oauth2's built-in PKCE support (oauth2.GenerateVerifier(),oauth2.S256ChallengeOption(),oauth2.VerifierOption())Testing
TestOAuth2tests to passpkceEnabledparameterTODO (for follow-up)
Related