feat(backend:auth): add toggle for security.supportPKCE in OIDC provider

johaven · johaven · commit d90cbf73e633 · 2026-03-09T00:43:24.000+01:00
diff --git a/backend/src/authentication/providers/oidc/auth-oidc.config.ts b/backend/src/authentication/providers/oidc/auth-oidc.config.ts
@@ -20,6 +20,10 @@ export class AuthProviderOIDCSecurityConfig {
   @Matches(/\bopenid\b/, { message: 'OIDC scope must include "openid"' })
   scope = 'openid email profile'
 
+  @IsOptional()
+  @IsBoolean()
+  supportPKCE? = true
+
   @Transform(({ value }) => value || OAuthTokenEndpoint.ClientSecretBasic)
   @IsEnum(OAuthTokenEndpoint)
   tokenEndpointAuthMethod: OAuthTokenEndpoint = OAuthTokenEndpoint.ClientSecretBasic
diff --git a/backend/src/authentication/providers/oidc/auth-provider-oidc.service.spec.ts b/backend/src/authentication/providers/oidc/auth-provider-oidc.service.spec.ts
@@ -25,6 +25,7 @@ jest.mock('../../../configuration/config.environment', () => ({
         redirectUri: 'https://api.example.test/auth/oidc/callback',
         security: {
           scope: 'openid profile email',
+          supportPKCE: true,
           tokenSigningAlg: 'RS256',
           userInfoSigningAlg: 'RS256',
           tokenEndpointAuthMethod: 'client_secret_basic',
@@ -163,6 +164,23 @@ describe(AuthProviderOIDC.name, () => {
     expect(url.searchParams.get('client_id')).toBe('client-id')
   })
 
+  it('does not use PKCE when supportPKCE is false', async () => {
+    ;(service as any).oidcConfig.security.supportPKCE = false
+    jest.spyOn(service, 'getConfig').mockResolvedValue(makeConfig(true) as any)
+    ;(randomState as jest.Mock).mockReturnValue('state-1')
+    ;(randomNonce as jest.Mock).mockReturnValue('nonce-1')
+    const reply = makeReply()
+
+    const authUrl = await service.getAuthorizationUrl(reply as any)
+
+    expect(randomPKCECodeVerifier).not.toHaveBeenCalled()
+    expect(calculatePKCECodeChallenge).not.toHaveBeenCalled()
+    expect(reply.setCookie).not.toHaveBeenCalledWith(OAuthCookie.CodeVerifier, expect.anything(), expect.any(Object))
+    const url = new URL(authUrl)
+    expect(url.searchParams.get('code_challenge')).toBeNull()
+    ;(service as any).oidcConfig.security.supportPKCE = true
+  })
+
   it('handles callback success and clears cookies', async () => {
     const config = makeConfig(true)
     jest.spyOn(service, 'getConfig').mockResolvedValue(config as any)
diff --git a/backend/src/authentication/providers/oidc/auth-provider-oidc.service.ts b/backend/src/authentication/providers/oidc/auth-provider-oidc.service.ts
@@ -81,8 +81,8 @@ export class AuthProviderOIDC implements AuthProvider {
     const state = randomState()
     const nonce = randomNonce()
 
-    const supportsPKCE = config.serverMetadata().supportsPKCE()
-    const codeVerifier = supportsPKCE ? randomPKCECodeVerifier() : undefined
+    const isPKCEEnabled = this.isPKCEEnabled(config)
+    const codeVerifier = isPKCEEnabled ? randomPKCECodeVerifier() : undefined
 
     const authUrl = new URL(config.serverMetadata().authorization_endpoint!)
     authUrl.searchParams.set('client_id', this.oidcConfig.clientId!)
@@ -91,7 +91,7 @@ export class AuthProviderOIDC implements AuthProvider {
     authUrl.searchParams.set('scope', this.oidcConfig.security.scope)
     authUrl.searchParams.set('state', state)
     authUrl.searchParams.set('nonce', nonce)
-    if (supportsPKCE) {
+    if (isPKCEEnabled) {
       const codeChallenge = await calculatePKCECodeChallenge(codeVerifier!)
       authUrl.searchParams.set('code_challenge', codeChallenge)
       authUrl.searchParams.set('code_challenge_method', 'S256')
@@ -108,15 +108,15 @@ export class AuthProviderOIDC implements AuthProvider {
     // Store state, nonce, and codeVerifier in httpOnly cookies (expires in 10 minutes)
     res.setCookie(OAuthCookie.State, state, OAuthCookieSettings)
     res.setCookie(OAuthCookie.Nonce, nonce, OAuthCookieSettings)
-    if (supportsPKCE) {
+    if (isPKCEEnabled) {
       res.setCookie(OAuthCookie.CodeVerifier, codeVerifier, OAuthCookieSettings)
     }
     return authUrl.toString()
   }
 
   async handleCallback(req: FastifyRequest, res: FastifyReply, query: Record<string, string>): Promise<UserModel> {
     const config = await this.getConfig()
-    const supportsPKCE = config.serverMetadata().supportsPKCE()
+    const isPKCEEnabled = this.isPKCEEnabled(config)
     const [expectedState, expectedNonce, codeVerifier] = [
       req.cookies[OAuthCookie.State],
       req.cookies[OAuthCookie.Nonce],
@@ -128,11 +128,11 @@ export class AuthProviderOIDC implements AuthProvider {
         throw new HttpException('OAuth state is missing', HttpStatus.BAD_REQUEST)
       }
 
-      if (supportsPKCE && !codeVerifier?.length) {
+      if (isPKCEEnabled && !codeVerifier?.length) {
         throw new HttpException('OAuth code verifier is missing', HttpStatus.BAD_REQUEST)
       }
 
-      const pkceCodeVerifier = supportsPKCE ? codeVerifier : undefined
+      const pkceCodeVerifier = isPKCEEnabled ? codeVerifier : undefined
       const callbackParams = new URLSearchParams(query)
 
       // Get Desktop Port if defined
@@ -275,6 +275,10 @@ export class AuthProviderOIDC implements AuthProvider {
     }
   }
 
+  private isPKCEEnabled(config: Configuration): boolean {
+    return (this.oidcConfig.security.supportPKCE ?? true) && config.serverMetadata().supportsPKCE()
+  }
+
   private async processUserInfo(userInfo: UserInfoResponse, ip?: string): Promise<UserModel> {
     // Extract user information
     const { login, email } = this.extractLoginAndEmail(userInfo)
diff --git a/environment/environment.dist.yaml b/environment/environment.dist.yaml
@@ -258,6 +258,10 @@ auth:
       # Common scopes: openid (required), email, profile, groups, roles
       # default: `openid email profile`
       scope: openid email profile
+      # supportPKCE: Enable PKCE (Proof Key for Code Exchange) in the authorization code flow.
+      # When true, PKCE is used if supported by the OIDC provider.
+      # default: true
+      supportPKCE: true
       # OAuth 2.0 / OIDC client authentication method used at the token endpoint.
       # Possible values:
       # - client_secret_basic (DEFAULT): HTTP Basic auth using client_id and client_secret.
