feat: prompt admin with PKCE client support hint (#1499)

Co-authored-by: james <james@goldfish.net>
Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: Elias Schneider <login@eliasschneider.com>
Co-authored-by: Kyle Mendell <kmendell@ofkm.us>
This commit is contained in:
James18232
2026-06-29 04:10:30 +10:00
committed by GitHub
parent 1b3ba3f6c2
commit 97bd466f38
15 changed files with 106 additions and 13 deletions

View File

@@ -21,6 +21,7 @@ type OidcClientDto struct {
SkipConsent bool `json:"skipConsent"`
Credentials OidcClientCredentialsDto `json:"credentials"`
IsGroupRestricted bool `json:"isGroupRestricted"`
PkceSupported bool `json:"pkceSupported,omitempty"`
}
type OidcClientWithAllowedUserGroupsDto struct {

View File

@@ -36,6 +36,7 @@ type OidcClient struct {
Credentials OidcClientCredentials
LaunchURL *string
IsGroupRestricted bool `sortable:"true" filterable:"true"`
PkceSupported bool `sortable:"true" filterable:"true"`
AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
CreatedByID *string

View File

@@ -133,12 +133,28 @@ func (s *authorizationService) authorize(ctx context.Context, input authorizeInp
now: time.Now().UTC(),
}
codeChallenge := input.requester.GetRequestForm().Get("code_challenge")
var result authorizationResult
err = withTx(ctx, s.db, func(ctx context.Context) error {
var err error
result, err = s.authorizeAuthenticated(ctx, req)
return err
if err != nil {
return err
}
if codeChallenge != "" &&
!client.PkceEnabled &&
!client.PkceSupported {
tx := dbFromContext(ctx, s.db)
_ = flagPkceSupportedClient(ctx, client.GetID(), tx)
}
return nil
})
if err != nil {
return authorizationResult{}, err
}
@@ -229,6 +245,20 @@ func (s *authorizationService) authorizeAuthenticated(ctx context.Context, req a
return authorizationResult{Session: session}, nil
}
func flagPkceSupportedClient(ctx context.Context, clientID string, tx *gorm.DB) error {
err := tx.
WithContext(ctx).
Model(&model.OidcClient{}).
Where("id = ?", clientID).
Update("pkce_supported", true).
Error
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
return err
}
return nil
}
// resolveRequirements determines the interaction steps still required; the requirements
// of a resumed interaction session win over the ones derived from the request.
func (s *authorizationService) resolveRequirements(ctx context.Context, req authorizeRequest, interactionSession *InteractionSession) (interactionRequirements, time.Time, error) {

View File

@@ -218,6 +218,10 @@ func updateOIDCClientModelFromDto(client *model.OidcClient, input *dto.OidcClien
client.IsPublic = input.IsPublic
// PKCE is required for public clients
client.PkceEnabled = input.IsPublic || input.PkceEnabled
// Reset any pkce support prompt if previously flagged
if !input.PkceEnabled {
client.PkceSupported = false
}
client.RequiresReauthentication = input.RequiresReauthentication
client.RequiresPushedAuthorizationRequests = input.RequiresPushedAuthorizationRequests
client.SkipConsent = input.SkipConsent

View File

@@ -0,0 +1 @@
ALTER TABLE oidc_clients DROP COLUMN pkce_supported;

View File

@@ -0,0 +1,2 @@
ALTER TABLE oidc_clients
ADD COLUMN pkce_supported BOOLEAN NOT NULL DEFAULT FALSE;

View File

@@ -0,0 +1,7 @@
PRAGMA foreign_keys=OFF;
BEGIN;
ALTER TABLE oidc_clients DROP COLUMN pkce_supported;
COMMIT;
PRAGMA foreign_keys=ON;

View File

@@ -0,0 +1,8 @@
PRAGMA foreign_keys= OFF;
BEGIN;
ALTER TABLE oidc_clients
ADD COLUMN pkce_supported BOOLEAN NOT NULL DEFAULT 0;
COMMIT;
PRAGMA foreign_keys= ON;