Add code_challenge_methods_supported property to OIDC auto discovery

AUTHORS

@@ -52,6 +52,7 @@ Egor Poderiagin
 Emanuele Palazzetti
 Federico Dolce
 Frederico Vieira
+Gaël Utard
 Hasan Ramezani
 Hiroki Kiyohara
 Hossein Shakiba

CHANGELOG.md

@@ -26,6 +26,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
+* #1249 Add code_challenge_methods_supported property to auto discovery informations
+  per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
 
 ### Fixed
 * #1322 Instructions in documentation on how to create a code challenge and code verifier

oauth2_provider/views/oidc.py

@@ -26,6 +26,7 @@
 from ..forms import ConfirmLogoutForm
 from ..http import OAuth2ResponseRedirect
 from ..models import (
+    AbstractGrant,
     get_access_token_model,
     get_application_model,
     get_id_token_model,
@@ -96,6 +97,7 @@ def get(self, request, *args, **kwargs):
             "token_endpoint_auth_methods_supported": (
                 oauth2_settings.OIDC_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED
             ),
+            "code_challenge_methods_supported": [key for key, _ in AbstractGrant.CODE_CHALLENGE_METHODS],
             "claims_supported": oidc_claims,
         }
         if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:

tests/test_oidc_views.py

@@ -48,6 +48,7 @@ def test_get_connect_discovery_info(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
         response = self.client.get("/o/.well-known/openid-configuration")
@@ -74,6 +75,7 @@ def test_get_connect_discovery_info_deprecated(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
         response = self.client.get("/o/.well-known/openid-configuration/")
@@ -100,6 +102,7 @@ def expect_json_response_with_rp_logout(self, base):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
             "end_session_endpoint": f"{base}/logout/",
         }
@@ -133,6 +136,7 @@ def test_get_connect_discovery_info_without_issuer_url(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
         response = self.client.get(reverse("oauth2_provider:oidc-connect-discovery-info"))