allow empty clientSecret when provider=oidc and codeChallengeMethod=S256

2025-08-18 20:30:59 -07:00 · 2025-08-18 20:30:59 -07:00 · a2285fb6c9
parent 4c86a4d574
commit a2285fb6c9
2 changed files with 35 additions and 0 deletions
--- a/pkg/validation/providers.go
+++ b/pkg/validation/providers.go
@ -68,6 +68,11 @@ func providerRequiresClientSecret(provider options.Provider) bool {
 		return false
 	}

+	// PKCE with S256 doesn't require client secret
+	if provider.Type == "oidc" && provider.CodeChallengeMethod == "S256" {
+		return false
+	}
+
 	if provider.Type == "login.gov" {
 		return false
 	}
--- a/pkg/validation/providers_test.go
+++ b/pkg/validation/providers_test.go
@ -79,5 +79,35 @@ var _ = Describe("Providers", func() {
 			},
 			errStrings: []string{skipButtonAndMultipleProvidersMsg},
 		}),
+		Entry("with oidc provider using S256 PKCE and no client secret", &validateProvidersTableInput{
+			options: &options.Options{
+				Providers: options.Providers{
+					{
+						Type:              "oidc",
+						ID:                "oidc-s256",
+						ClientID:          "client-id",
+						ClientSecret:      "",
+						ClientSecretFile:  "",
+						CodeChallengeMethod: "S256",
+					},
+				},
+			},
+			errStrings: []string{},
+		}),
+		Entry("with oidc provider using S256 PKCE and client secret", &validateProvidersTableInput{
+			options: &options.Options{
+				Providers: options.Providers{
+					{
+						Type:              "oidc",
+						ID:                "oidc-s256",
+						ClientID:          "client-id",
+						ClientSecret:      "mysecret",
+						ClientSecretFile:  "",
+						CodeChallengeMethod: "S256",
+					},
+				},
+			},
+			errStrings: []string{},
+		}),
 	)
 })