Skip to content

feat!: support PKCE in the oauth2 client's auth/exchange flow #21215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Emyrk wants to merge 11 commits into
base: main
Choose a base branch
from
Open

feat!: support PKCE in the oauth2 client's auth/exchange flow #21215

Emyrk wants to merge 11 commits into from

Conversation

@Emyrk
Copy link
Member

@Emyrk Emyrk commented Dec 10, 2025
edited
Loading

Breaking Change: Existing oauth apps might now use PKCE. If an unknown type was being used, and it does not support PKCE, it will break.

To fix, set the PKCE methods on the external auth to none

export CODER_EXTERNAL_AUTH_1_PKCE_METHODS=none

PKCE challenge used in primary coderd oauth2 flow.
Closes #21213

Implementation from: golang/oauth2@55cd552

What this does

This adds PKCE support when Coder is the OAuth client to an external IdP.

OIDC

PKCE support is automatically detected from the well-known configuration endpoint. If it is supported, Coder will use it.

coder/cli/server.go

Lines 189 to 195 in 53fc864

var pkceSupport struct {
CodeChallengeMethodsSupported []promoauth.Oauth2PKCEChallengeMethod `json:"code_challenge_methods_supported"`
}
err = oidcProvider.Claims(&pkceSupport)
if err != nil {
return nil, xerrors.Errorf("pkce detect in claims: %w", err)
}

OAuth (github login & external auth).

Known Oauth types have defaults set based on manual testing. We need to manually test to expand coverage.

We assume PKCE is supported by all unknown oauth IdP's. This can fixed in the configuration

Example to disable:

export CODER_EXTERNAL_AUTH_1_PKCE_METHODS=none
Manual tests

Tested to work on:

  • Github ✔️ uses PKCE
    • Failed code looks like: {"message":"Failed exchanging Oauth code.","detail":"oauth2: \"bad_verification_code\" \"The code passed is incorrect or expired.\" \"https://docs.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code\""}
  • Gitlab ✔️ uses PKCE
    • Failed code looks like: {"message":"Failed exchanging Oauth code.","detail":"oauth2: \"invalid_grant\" \"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.\""}
  • Gitea ✔️ uses PKCE
  • Failed code looks like: {"message":"Failed exchanging Oauth code.","detail":"oauth2: \"unauthorized_client\" \"failed PKCE code challenge\""}
  • Auth0 ✔️ uses PKCE
    • Failed code looks like: {"message":"Failed exchanging Oauth code.","detail":"oauth2: \"invalid_grant\" \"Invalid authorization code\""}

Emyrk
Emyrk commented Dec 11, 2025
View reviewed changes
@Emyrk Emyrk marked this pull request as ready for review December 11, 2025 16:28
@Emyrk Emyrk changed the title feat: oauth2 client to use pkce in auth/exchange flow feat: oauth2 client support for pkce in auth/exchange flow Dec 11, 2025
@Emyrk Emyrk changed the title feat: oauth2 client support for pkce in auth/exchange flow feat: support PKCE in the oauth2 client's auth/exchange flow Dec 11, 2025
@Emyrk Emyrk changed the title feat: support PKCE in the oauth2 client's auth/exchange flow feat!: support PKCE in the oauth2 client's auth/exchange flow Dec 11, 2025
@Emyrk Emyrk added the release/breaking This label is applied to PRs to detect breaking changes as part of the release process label Dec 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Emyrk Emyrk

Labels

release/breaking This label is applied to PRs to detect breaking changes as part of the release process

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Add OIDC nonce parameter support for CSRF protection

2 participants

@Emyrk