From a2285fb6c9d1974c11f08ded4207bab20f4094df Mon Sep 17 00:00:00 2001 From: Haitao Chen Date: Mon, 18 Aug 2025 20:30:59 -0700 Subject: [PATCH] allow empty clientSecret when provider=oidc and codeChallengeMethod=S256 --- pkg/validation/providers.go | 5 +++++ pkg/validation/providers_test.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/pkg/validation/providers.go b/pkg/validation/providers.go index 4527b841..884e5da9 100644 --- a/pkg/validation/providers.go +++ b/pkg/validation/providers.go @@ -68,6 +68,11 @@ func providerRequiresClientSecret(provider options.Provider) bool { return false } + // PKCE with S256 doesn't require client secret + if provider.Type == "oidc" && provider.CodeChallengeMethod == "S256" { + return false + } + if provider.Type == "login.gov" { return false } diff --git a/pkg/validation/providers_test.go b/pkg/validation/providers_test.go index 065eb305..3618bb15 100644 --- a/pkg/validation/providers_test.go +++ b/pkg/validation/providers_test.go @@ -79,5 +79,35 @@ var _ = Describe("Providers", func() { }, errStrings: []string{skipButtonAndMultipleProvidersMsg}, }), + Entry("with oidc provider using S256 PKCE and no client secret", &validateProvidersTableInput{ + options: &options.Options{ + Providers: options.Providers{ + { + Type: "oidc", + ID: "oidc-s256", + ClientID: "client-id", + ClientSecret: "", + ClientSecretFile: "", + CodeChallengeMethod: "S256", + }, + }, + }, + errStrings: []string{}, + }), + Entry("with oidc provider using S256 PKCE and client secret", &validateProvidersTableInput{ + options: &options.Options{ + Providers: options.Providers{ + { + Type: "oidc", + ID: "oidc-s256", + ClientID: "client-id", + ClientSecret: "mysecret", + ClientSecretFile: "", + CodeChallengeMethod: "S256", + }, + }, + }, + errStrings: []string{}, + }), ) })