🚀 Feature: PKCE Support #459

New Issue

Closed

opened 2025-10-09 16:47:56 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2025-10-09 16:47:56 +03:00

Owner

Copy Link

Originally created by @stonith404 on GitHub.

Feature description

Implement PKCE for OIDC.

Pitch

When public clients (e.g., native and single-page applications) request access tokens, some additional security concerns are posed that are not mitigated by the Authorization Code Flow alone. Because of that PKCE should be supported by Pocket ID.

Originally created by @stonith404 on GitHub. ### Feature description Implement PKCE for OIDC. ### Pitch When public clients (e.g., native and single-page applications) request access tokens, some additional security concerns are posed that are not mitigated by the Authorization Code Flow alone. Because of that PKCE should be supported by Pocket ID.

OVERLORD added the feature label 2025-10-09 16:47:56 +03:00

OVERLORD closed this issue 2025-10-09 16:47:57 +03:00

OVERLORD commented 2025-10-09 16:47:59 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

@cdemi Would you mind to test the stonith404/pocket-id:development image? PKCE should work in this image.

@stonith404 commented on GitHub: @cdemi Would you mind to test the `stonith404/pocket-id:development` image? PKCE should work in this image.

OVERLORD commented 2025-10-09 16:47:59 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Added in v0.15.0.

@stonith404 commented on GitHub: Added in `v0.15.0`.

OVERLORD commented 2025-10-09 16:47:59 +03:00

Author

Owner

Copy Link

@cdemi commented on GitHub:

I have spun up the development image and testing it out against https://oidcdebugger.com/ and I still get a CORS error: Access to XMLHttpRequest at 'https://mypocketid.domain/api/oidc/token' from origin 'https://oidcdebugger.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

Server logs and browser show 403 on /api/oidc/token:

pocketid | [GIN] 2024/11/15 - 15:54:14 | 403 | 57.157µs | xxx.xxx.xxx.xxx | POST "/api/oidc/token"

@cdemi commented on GitHub: I have spun up the `development` image and testing it out against https://oidcdebugger.com/ and I still get a CORS error: `Access to XMLHttpRequest at 'https://mypocketid.domain/api/oidc/token' from origin 'https://oidcdebugger.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource` Server logs and browser show `403` on `/api/oidc/token`: `pocketid | [GIN] 2024/11/15 - 15:54:14 | 403 | 57.157µs | xxx.xxx.xxx.xxx | POST "/api/oidc/token"`

OVERLORD commented 2025-10-09 16:48:02 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Thanks, I made some changes and now it should work. Could you try the new development image again?

You now have to set your OIDC client to public in the OIDC client settings, to enable PKCE:

I made some changes to the migration, so please run the following command after you've updated the image:

sqlite3 data/pocket-id.db "ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;"

@stonith404 commented on GitHub: Thanks, I made some changes and now it should work. Could you try the new `development` image again? You now have to set your OIDC client to public in the OIDC client settings, to enable PKCE:  I made some changes to the migration, so please run the following command after you've updated the image: ```sh sqlite3 data/pocket-id.db "ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;" ```

OVERLORD referenced this issue 2025-10-09 16:57:20 +03:00

[PR #459] [MERGED] chore(translations): update translations via Crowdin #794

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#459