Skip to content

Add support for PKCE in oauth2#59930

Draft
julien-nc wants to merge 4 commits into
masterfrom
enh/12881/oauth2-pkce
Draft

Add support for PKCE in oauth2#59930
julien-nc wants to merge 4 commits into
masterfrom
enh/12881/oauth2-pkce

Conversation

@julien-nc
Copy link
Copy Markdown
Member

@julien-nc julien-nc commented Apr 27, 2026

Summary

  • Support optional code_challenge and code_challenge_method params in the authorize endpoint
  • Implement PKCE support as described in the RFC
  • When using PKCE, only allow the S256 method (do no support plain)
  • Fix preservation of the query params and fragments in the redirect URL

TODO

  • test with a real client
  • adjust server documentation

Checklist

AI (if applicable)

  • The content of this PR was partly or fully generated using AI

@julien-nc julien-nc added this to the Nextcloud 34 milestone Apr 27, 2026
@julien-nc julien-nc requested a review from kesselb April 27, 2026 12:14
@julien-nc julien-nc force-pushed the enh/12881/oauth2-pkce branch 2 times, most recently from 654d5e3 to b782a2d Compare April 27, 2026 12:23
@julien-nc
feat(oauth2): add PKCE support in the oauth2 code flow
af8311f 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
feat(oauth2): update autoloaders
dc22b12 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
feat(oauth2): remove support for plain method, validate challenge and…
00238c3 
… verifier according to th RFC, adjust tests

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the enh/12881/oauth2-pkce branch from b782a2d to dffa90f Compare April 27, 2026 12:23
@julien-nc
feat(oauth2): preserve query params and fragments in redirect URL, su…
060bbd5 
…pport legacy redirect URL

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the enh/12881/oauth2-pkce branch from dffa90f to 060bbd5 Compare April 27, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kesselb kesselb Awaiting requested review from kesselb

@provokateurin provokateurin Awaiting requested review from provokateurin provokateurin will be requested when the pull request is marked ready for review provokateurin is a code owner

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst ChristophWurst will be requested when the pull request is marked ready for review ChristophWurst is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

2. developing Work in progress enhancement feature: authentication

Projects

None yet

Milestone

Nextcloud 34

Development

Successfully merging this pull request may close these issues.

Implement OAUTH2 Authorization code with PKCE

1 participant

@julien-nc