starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🚀 Feature: Include code_challenge_methods_supported in ./well-known endpoint #103

New Issue
Closed
opened 2025-10-07 23:53:15 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2025-10-07 23:53:15 +03:00
Owner
Copy Link

Originally created by @mzgaljic on GitHub.

Originally assigned to: @kmendell on GitHub.

Feature description

An application I use, Outline, determines if the oauth provider supports the PKCE flow by inspecting the ./well-known response. To be specific, it looks for key code_challenge_methods_supported. If it doesn't exist, it assumes PKCE is not supported. Outline is doing the right thing, according to the spec:

code_challenge_methods_supported
OPTIONAL. JSON array containing a list of Proof Key for Code
Exchange (PKCE) [RFC7636] code challenge methods supported by this
authorization server. Code challenge method values are used in
the "code_challenge_method" parameter defined in Section 4.3 of
[RFC7636]. The valid code challenge method values are those
registered in the IANA "PKCE Code Challenge Methods" registry
[IANA.OAuth.Parameters]. If omitted, the authorization server
does not support PKCE.

Emphasis on If omitted, the authorization server does not support PKCE.

Here is how outline specifically handles this (if you're curious): https://github.com/outline/outline/pull/9478/files

Pitch

Pocket ID does not currently include code_challenge_methods_supported in the ./well-known response. It would be great if it did, so that I can use Outline (and other apps that work in a similar way) with PKCE. Since PKCE is more secure.

If you're looking for a real example, I see google returns it in their response: https://accounts.google.com/.well-known/openid-configuration

Originally created by @mzgaljic on GitHub. Originally assigned to: @kmendell on GitHub. ### Feature description An application I use, [Outline](https://github.com/outline/outline), determines if the oauth provider supports the PKCE flow by inspecting the `./well-known` response. To be specific, it looks for key `code_challenge_methods_supported`. If it doesn't exist, it assumes PKCE is not supported. Outline is doing the right thing, [according to the spec](https://datatracker.ietf.org/doc/html/rfc8414#section-2): > code_challenge_methods_supported OPTIONAL. JSON array containing a list of Proof Key for Code Exchange (PKCE) [[RFC7636](https://datatracker.ietf.org/doc/html/rfc7636)] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [[IANA.OAuth.Parameters](https://datatracker.ietf.org/doc/html/rfc8414#ref-IANA.OAuth.Parameters)]. **If omitted, the authorization server does not support PKCE.** Emphasis on `If omitted, the authorization server does not support PKCE.` Here is how outline specifically handles this (if you're curious): https://github.com/outline/outline/pull/9478/files ---------------- ### Pitch Pocket ID does not currently include `code_challenge_methods_supported` in the `./well-known` response. It would be great if it did, so that I can use Outline (and other apps that work in a similar way) with PKCE. Since PKCE is more secure. If you're looking for a real example, I see google returns it in their response: https://accounts.google.com/.well-known/openid-configuration
OVERLORD commented 2025-10-07 23:53:18 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@mzgaljic This should be in the ghcr.io/pocket-id/pocket-id:next` image in a few minutes, if you would like to make sure it works.

@kmendell commented on GitHub: @mzgaljic This should be in the ghcr.io/pocket-id/pocket-id:next` image in a few minutes, if you would like to make sure it works.
OVERLORD commented 2025-10-07 23:53:18 +03:00
Author
Owner
Copy Link

@mzgaljic commented on GitHub:

@mzgaljic This should be in the ghcr.io/pocket-id/pocket-id:next` image in a few minutes, if you would like to make sure it works.

That was fast. Just tested it out, PKCE works with Outline now. Thank you! Looking forward to seeing this in the next release.

@mzgaljic commented on GitHub: > [@mzgaljic](https://github.com/mzgaljic) This should be in the ghcr.io/pocket-id/pocket-id:next` image in a few minutes, if you would like to make sure it works. That was fast. Just tested it out, PKCE works with [Outline](https://github.com/outline/outline) now. Thank you! Looking forward to seeing this in the next release.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#103
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?