Skip to content

Commit 16d054b

Browse files
julien-ncjulien-nc
committed
make it possible to force-enable PKCE
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
1 parent bb38741 commit 16d054b

File tree

2 files changed

+15
-3
lines changed

2 files changed

+15
-3
lines changed

README.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,15 @@ You can also manually disable it in `config.php`:
220220
],
221221
```
222222

223+
You can also force the use of PKCE with:
224+
``` php
225+
'user_oidc' => [
226+
'use_pkce' => 'force',
227+
],
228+
```
229+
This will make user_oidc use PKCE even if the `code_challenge_methods_supported` value of the provider's discovery endpoint
230+
is not defined or does not contain `S256`.
231+
223232
### Single logout
224233

225234
Single logout is enabled by default. When logging out of Nextcloud,

lib/Controller/LoginController.php

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -183,10 +183,11 @@ public function login(int $providerId, ?string $redirectUrl = null) {
183183
$this->session->set(self::NONCE, $nonce);
184184

185185
$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
186-
// TODO add config param to force PKCE even if not supported in discovery
187186
// condition becomes: ($isPkceSupported || $force) && ($oidcSystemConfig['use_pkce'] ?? true)
188187
$isPkceSupported = in_array('S256', $discovery['code_challenge_methods_supported'] ?? [], true);
189-
$isPkceEnabled = $isPkceSupported && ($oidcSystemConfig['use_pkce'] ?? true);
188+
$usePkce = $oidcSystemConfig['use_pkce'] ?? true;
189+
$forcePkce = $usePkce === 'force';
190+
$isPkceEnabled = $forcePkce || ($isPkceSupported && $usePkce);
190191

191192
if ($isPkceEnabled) {
192193
// PKCE code_challenge see https://datatracker.ietf.org/doc/html/rfc7636
@@ -378,7 +379,9 @@ public function code(string $state = '', string $code = '', string $scope = '',
378379

379380
$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
380381
$isPkceSupported = in_array('S256', $discovery['code_challenge_methods_supported'] ?? [], true);
381-
$isPkceEnabled = $isPkceSupported && ($oidcSystemConfig['use_pkce'] ?? true);
382+
$usePkce = $oidcSystemConfig['use_pkce'] ?? true;
383+
$forcePkce = $usePkce === 'force';
384+
$isPkceEnabled = $forcePkce || ($isPkceSupported && $usePkce);
382385
$usePrivateKeyJwt = $this->providerService->getSetting($providerId, ProviderService::SETTING_USE_PRIVATE_KEY_JWT, '0') !== '0';
383386

384387
try {

0 commit comments

Comments
 (0)