feat: Allow PKCE clients to refresh tokens#10769
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces support for PKCE (Proof Key for Code Exchange) by adding the concept of client types to OAuth clients. Clients can now be designated as either "confidential" (server-side applications that can securely store secrets) or "public" (client-side or mobile applications that cannot). Public clients are allowed to refresh tokens without providing a client secret, while confidential clients must continue to provide their secret during token refresh.
Key changes:
- Added
clientTypefield to OAuth clients with "confidential" and "public" options - Modified token refresh flow to allow public clients to refresh without client_secret
- Added UI components for selecting and displaying client type
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| shared/validations.ts | Defines the allowed client types ("confidential" and "public") |
| shared/i18n/locales/en_US/translation.json | Adds translation strings for client type labels and descriptions |
| server/utils/oauth/OAuthInterface.ts | Includes clientType in the OAuth client interface response |
| server/test/support.ts | Adds helper function to convert objects to form-urlencoded strings for testing |
| server/routes/oauth/middlewares/oauthErrorHandler.ts | Improves OAuth error handling by mapping HTTP status codes to OAuth error types |
| server/routes/oauth/index.ts | Implements client type validation and token refresh logic for confidential vs public clients |
| server/routes/oauth/index.test.ts | Adds comprehensive test coverage for token refresh flows with different client types |
| server/routes/api/oauthClients/schema.ts | Adds clientType field to OAuth client create/update API schemas |
| server/presenters/oauthClient.ts | Includes clientType in OAuth client presentation |
| server/models/oauth/OAuthClient.ts | Adds clientType field to the OAuthClient model with validation |
| server/migrations/20251203124235-oauth-authentications-pkce.js | Database migration to add clientType column with "confidential" default |
| app/scenes/Settings/Application.tsx | Adds client type selector to application settings UI and conditionally shows client secret |
| app/models/oauth/OAuthClient.ts | Adds clientType field to the client-side OAuthClient model |
| app/components/OAuthClient/OAuthClientForm.tsx | Adds client type input to OAuth client creation form |
| app/components/OAuthClient/InputClientType.tsx | New component for selecting OAuth client type |
| app/components/InputSelect.tsx | Extends Props type to accept HTML button attributes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
Author
|
cc @olu-an |
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Jan 7, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [outlinewiki/outline](https://github.com/outline/outline) | minor | `1.1.0` → `1.2.0` | --- ### Release Notes <details> <summary>outline/outline (outlinewiki/outline)</summary> ### [`v1.2.0`](https://github.com/outline/outline/releases/tag/v1.2.0) [Compare Source](outline/outline@v1.1.0...v1.2.0) #### What's Changed ##### Highlights **Diagrams.net** diagrams are now fully supported, insert new diagrams through the block menu or by uploading an existing png that was created in Diagrams.net – the original diagram data will be preserved and can be edited by clicking the "Edit" button in the image toolbar. **Custom emoji** are now available – upload your own custom emoji in the admin settings and use them in your documents, comments, reactions, and icons. **Improved revision history** with the ability to download any revision as HTML or Markdown, toggle whether changes are visible, and an improved rendering engine that retains more of the original document's formatting and structure. **Authentication provider management** has been added to the settings, allowing admins to view and manage all configured authentication providers in one place. This includes the ability to disable providers, which will prevent users from signing in with that provider but will not delete any existing accounts. **Passkey support** has been added as an optional login method. You can now sign in with biometric authentication (TouchId, Windows Hello) or security keys instead of a password. Existing workspaces will need to enable this on the authentication providers screen. ##### Other improvements - The sidebar design was improved and refined in [#​10684](outline/outline#10684) - It is now possible to upload and embed PDFs in [#​10198](outline/outline#10198) - A "Popular" tab is now available for documents, popular docs are ranked higher in search in [#​10721](outline/outline#10721) - A visual color palette is now available in the icon picker in [#​10696](outline/outline#10696) - Avatar changes are now synced automatically from iDP in [#​10718](outline/outline#10718) - User initials now supported in mention search in [#​10797](outline/outline#10797) - New option to distribute table columns evenly in [#​10645](outline/outline#10645) - Mermaid diagrams now have an explicit "Edit" option in the toolbar in [#​11060](outline/outline#11060) - Added filtering to the notifications UI in [#​10916](outline/outline#10916) - Added CSV export for member list in [#​10803](outline/outline#10803) - Added CIDR range support to `ALLOWED_PRIVATE_IP_ADDRESSES` in [#​10923](outline/outline#10923) - Add ContextMenu to RevisionListItem in [#​10952](outline/outline#10952) - The GitHub integration now supports fetching details on public issues/PRs in [#​10827](outline/outline#10827) - It is no longer required to use a public bucket for avatar images in [#​10977](outline/outline#10977) - Implemented RFC 9700 hardening against refresh token reuse in [#​10960](outline/outline#10960) - PKCE OAuth clients can now use refresh tokens in [#​10769](outline/outline#10769) - Support for PostgreSQL multi-host connection URIs in `DATABASE_URL` in [#​10754](outline/outline#10754) - Many internal performance improvements ##### Fixes - Fixed display issues in share dialog in [#​10662](outline/outline#10662) - Incompatibility between path and query search terms in [#​10667](outline/outline#10667) - Restored ability to resize shared sidebar in [#​10669](outline/outline#10669) - UI does not update when deleting API key in [#​10670](outline/outline#10670) - Invalid access of `firstChild` for mermaid diagrams in [#​10668](outline/outline#10668) - Plain text copy-to-clipboard serializer no longer squashes blocks in [#​10683](outline/outline#10683) - When TOC extends beyond window bounds ensure headings scroll in [#​10687](outline/outline#10687) - Added missing drop cursor in top position in [#​10689](outline/outline#10689) - `Empty trash` button is now hidden when missing permissions in [#​10704](outline/outline#10704) - Fixed search popover on public pages in [#​10717](outline/outline#10717) - Multiple improvements to sitemap generation for public shares in [#​10716](outline/outline#10716) - Fixed in-document find fails with multiple escaped characters in [#​10735](outline/outline#10735) - Improved validation of urls extracted from data transfer event in [#​10740](outline/outline#10740) - Middle-mouse button on internal link in Firefox no longer opens multiple tabs in [#​10748](outline/outline#10748) - Fixed collection filter returning documents from all collections when no search query in [#​10775](outline/outline#10775) - Templates are now inserted at cursor position instead of document start in [#​10783](outline/outline#10783) - Shift paste with selection no longer inserts next to selection in [#​10799](outline/outline#10799) - Fixed an issue where some Mermaid diagrams can't be expanded in [#​10807](outline/outline#10807) - Collection overview now respects the separeat editing mode setting in [#​10816](outline/outline#10816) - Query strings not forwarded on internal links from editor in [#​10854](outline/outline#10854) - Shutdown during migrations does not release mutex lock in [#​10879](outline/outline#10879) - `profileId` extraction in OIDC does not fallback to `token.sub` in [#​10882](outline/outline#10882) - Fixed an issue where custom rate limiters were ignored due to mountPath mismatch in [#​10893](outline/outline#10893) - Viewer role now replaced correctly on downgrade to guest in [#​10877](outline/outline#10877) - Validation of `SECRET_KEY` environment variable tightened in [#​10897](outline/outline#10897) - Fixed double pagination in `documents.list` and `documents.archived` with `sort=index` in [#​10895](outline/outline#10895) - Comment actions now reliably appear in mobile drawer in [#​10904](outline/outline#10904) - Fixed extra newlines in pasted code blocks in [#​10958](outline/outline#10958) - Parser crash when pasting inline code containing checkboxes by [@​hdoo42](https://github.com/hdoo42) in [#​10949](outline/outline#10949) - Fixed an issue where context menus could have context menus (menuception) in [#​10974](outline/outline#10974) - Fixed invisible email buttons in iOS Mail dark mode in [#​10976](outline/outline#10976) - Restored 'Create a doc' item in mention menu in [#​10980](outline/outline#10980) - User with "can edit" permission on sub-document can now sort child documents in [#​10990](outline/outline#10990) - Large base64 images pasted as HTML are now correctly handled in [#​10982](outline/outline#10982) - Appending content via API no longer messes with existing document content in [#​10998](outline/outline#10998) - Image warp exiting lightbox now correct in [#​10999](outline/outline#10999) - Grips are now positioned correctly adjacent merged table cells in [#​11003](outline/outline#11003) - Export no longer link to a non-accessible location for non-admins in [#​11070](outline/outline#11070) #### New Contributors - [@​nwleedev](https://github.com/nwleedev) made their first contribution in [#​10759](outline/outline#10759) - [@​hdoo42](https://github.com/hdoo42) made their first contribution in [#​10949](outline/outline#10949) **Full Changelog**: <outline/outline@v1.1.0...v1.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42OS4yIiwidXBkYXRlZEluVmVyIjoiNDIuNjkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3075 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces the concept of a client type, which can be switched between confidential and public.
Public clients are not expected to include a client secret in authentication flows. All existing clients default to confidential for safety.
closes #10768