[PR #4804] [MERGED] Add OIDC PKCE functionality #6407

New Issue

Closed

opened 2026-02-05 10:31:29 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 10:31:29 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/4804
Author: @ssddanbrown
Created: 1/25/2024
Status: ✅ Merged
Merged: 1/27/2024
Merged by: @ssddanbrown

Base: development ← Head: oidc_pkce

---

📝 Commits (2)

• 3e9e196 OIDC: Added PKCE functionality
• 1dc094f OIDC: Added testing of PKCE flow

📊 Changes

3 files changed (+51 additions, -20 deletions)

View changed files

📝 app/Access/Oidc/OidcOAuthProvider.php (+12 -19)
📝 app/Access/Oidc/OidcService.php (+11 -1)
📝 tests/Auth/OidcTest.php (+28 -0)

📄 Description

Related to #4734.

Todo

• Check full implementation and library against RFC spec.
• Cover with PHPUnit testing.
• Auth system checks (Check each with and without enforcement for post/after compatibility):
  • Jumpcloud
    • Works fine, Could not force PKCE, fails when invalid.
  • Okta
    • Works fine, allows forcing PKCE. Fails in expected cases of invalid/missing value, including invalid when not enforced.
  • Auth0
    • Could not find option to force PKCE. Does fail with invalid PKCE in auth code request.
  • Keycloak
    • Works fine, allows forcing PKCE (via specifying method) and fails without, and invalid when not enforced.
  • Authentik
    • Could not find easy option to force PKCE, but does fail with invalid PKCE.
  • Azure
    • Could not find option to force PKCE, but does fail with invalid PKCE.

Docs Updates

• Update OIDC guidance to indicate support of PKCE, and advise enforcement where possible for extra security.
• Update advisory to advise enforcement? Probably a good idea.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/4804 **Author:** [@ssddanbrown](https://github.com/ssddanbrown) **Created:** 1/25/2024 **Status:** ✅ Merged **Merged:** 1/27/2024 **Merged by:** [@ssddanbrown](https://github.com/ssddanbrown) **Base:** `development` ← **Head:** `oidc_pkce` --- ### 📝 Commits (2) - [`3e9e196`](https://github.com/BookStackApp/BookStack/commit/3e9e196cdada5a6c515d5bbab971c80a90d333ab) OIDC: Added PKCE functionality - [`1dc094f`](https://github.com/BookStackApp/BookStack/commit/1dc094ffafc216e15c8355b400b21524137de5e4) OIDC: Added testing of PKCE flow ### 📊 Changes **3 files changed** (+51 additions, -20 deletions) <details> <summary>View changed files</summary> 📝 `app/Access/Oidc/OidcOAuthProvider.php` (+12 -19) 📝 `app/Access/Oidc/OidcService.php` (+11 -1) 📝 `tests/Auth/OidcTest.php` (+28 -0) </details> ### 📄 Description Related to #4734. ### Todo - [x] Check full implementation and library [against RFC spec](https://datatracker.ietf.org/doc/html/rfc7636). - [x] Cover with PHPUnit testing. - Auth system checks (Check each with and without enforcement for post/after compatibility): - [x] Jumpcloud - Works fine, Could not force PKCE, fails when invalid. - [x] Okta - Works fine, allows forcing PKCE. Fails in expected cases of invalid/missing value, including invalid when not enforced. - [x] Auth0 - Could not find option to force PKCE. Does fail with invalid PKCE in auth code request. - [x] Keycloak - Works fine, allows forcing PKCE (via specifying method) and fails without, and invalid when not enforced. - [x] Authentik - Could not find easy option to force PKCE, but does fail with invalid PKCE. - [x] Azure - Could not find option to force PKCE, but does fail with invalid PKCE. ### Docs Updates - Update OIDC guidance to indicate support of PKCE, and advise enforcement where possible for extra security. - Update advisory to advise enforcement? Probably a good idea. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-05 10:31:29 +03:00

OVERLORD closed this issue 2026-02-05 10:31:31 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#6407