PKCE

This content is for v8.x. Switch to the latest version for up-to-date documentation.

pkce

RFC7636 - Proof Key for Code Exchange (PKCE)

PKCE configuration such as available methods and policy check on required use of PKCE

pkce.methods

Fine-tune the supported code challenge methods. Supported values are

S256
plain

default value:

[
  'S256'
]

pkce.required

Configures if and when the authorization server requires clients to use PKCE. This helper is called whenever an authorization request lacks the code_challenge parameter. Return

false to allow the request to continue without PKCE
true to abort the request

default value:

function pkceRequired(ctx, client) {
  const fapiProfile = ctx.oidc.isFapi('2.0', '1.0 Final');
  switch (true) {
    // FAPI 2.0 as per
    // https://openid.net/specs/fapi-2_0-security-profile-ID2.html#section-5.3.1.2-2.5.1
    case fapiProfile === '2.0':
      return true;
    // FAPI 1.0 Advanced as per
    // https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#authorization-server
    case fapiProfile === '1.0 Final' && ctx.oidc.route === 'pushed_authorization_request':
      return true;
    // All Public clients as per
    // https://www.rfc-editor.org/rfc/rfc9700.html#section-2.1.1-2.1
    case client.clientAuthMethod === 'none':
      return true;
    // All other cases RECOMMENDED as per
    // https://www.rfc-editor.org/rfc/rfc9700.html#section-2.1.1-2.2
    default:
      return true;
  }
}