PKCE doesn't work after upgrade to NC28.0.2 and user_oidc > 1.3.6

[isdnfan]

I have successfully integrated NC 28.0.1 and user_oidc 1.3.5 with zitadel IdP using PKCE (empty client secret).
While I upgraded my dev environment to NC 28.0.2 and "integrated" user_oidc upgrade to 1.3.6 the integration stopped working.

reviewing release notes I found #740 which introduce a new setting making PKCE optional. so added the new parameter

use_pkce = true to my config using occ config:app:set --value=true user_oidc use_pkce but still no luck logging in. login process fails with this error:

if I use same IdP with "client authentication" (client_id + client_secret) login is successful.

Please advice how to make PKCE work especially considering PKCE is the "preferred" variant

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-16#section-2.1.1

Clients MUST prevent injection (replay) of authorization codes into the authorization response by attackers. Public clients MUST use PKCE [RFC7636] to this end. For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED.

occ config:list user_oidc
{
    "apps": {
        "user_oidc": {
            "allow_multiple_user_backends": "0",
            "enabled": "yes",
            "id4me_enabled": "0",
            "installed_version": "5.0.1",
            "provider-7-jwksCache": "",
            "provider-7-jwksCacheTimestamp": "",
            "provider-8-bearerProvisioning": "0",
            "provider-8-checkBearer": "0",
            "provider-8-extraClaims": "preferred_username",
            "provider-8-groupProvisioning": "1",
            "provider-8-jwksCache": ***SENSITIVE VALUE***,
            "provider-8-mappingAddress": "",
            "provider-8-mappingAvatar": "",
            "provider-8-mappingBiography": "",
            "provider-8-mappingCountry": "",
            "provider-8-mappingDisplayName": "",
            "provider-8-mappingEmail": "",
            "provider-8-mappingFediverse": "",
            "provider-8-mappingGender": "",
            "provider-8-mappingGroups": "x-grants",
            "provider-8-mappingHeadline": "",
            "provider-8-mappingLocality": "",
            "provider-8-mappingOrganisation": "",
            "provider-8-mappingPhonenumber": "",
            "provider-8-mappingPostalcode": "",
            "provider-8-mappingQuota": "",
            "provider-8-mappingRegion": "",
            "provider-8-mappingRole": "",
            "provider-8-mappingStreetaddress": "",
            "provider-8-mappingTwitter": "",
            "provider-8-mappingUid": "preferred_username",
            "provider-8-mappingWebsite": "",
            "provider-8-providerBasedId": "0",
            "provider-8-sendIdTokenHint": "0",
            "provider-8-uniqueUid": "0",
            "types": "authentication",
            "use_pkce": "true"
        }
    }
}

[isdnfan]

I'm not sure if the command occ config:app:set --value=true user_oidc use_pkce writes a string value and not boolean. unfortunately occ config:app:set doesn't support --type=boolean as occ config:system:set does..

I'm little surprised but the config doesn't end in the config.php (community docker) so I'm unsure how to verify if the setting was applied in the right way.

[sebrhex]

Hi, I'm using PKCE and I had to set it as a system setting:
occ config:system:set --value=true --type=boolean user_oidc use_pkce
This will add the array and enable PKCE.