Device Code Grant with PKCE

[m-mohr]

Some providers (e.g. EGI check-in) support Device Code with PKCE (as in Auth Code with PKCE). This is useful in some circumstances and we'd like to use it instead of AuthCode with PKCE to avoid (1) spinning up a server in the background and (2) providing a client secret. Are there any plans to implement Device Code with PKCE? If not, would you be open to a PR?

[hadley]

I’m guessing this should be straightforward but can you please provide a link to the spec?

[m-mohr]

I'm not even sure there's a spec that combines them, but I can't find it for AuthCode + PKCE either. It seems they are spec'ed independently in both cases?!
So it is a combination of https://datatracker.ietf.org/doc/html/rfc8628 and https://datatracker.ietf.org/doc/html/rfc7636.

An implementation is available from the EGI Foundation, which is pretty popular in Europe for SSO across scientific bodies (e.g. universities).

[flahn]

Please have a look at the PR #109. I have implemented and tested the device code flow + PKCE against the EGI service which we use in the openEO projects.