spamokm opened a new issue, #7052: URL: https://github.com/apache/apisix/issues/7052
### Description As a User, I want to use oAuth2 with PKCE support, so that I can configure an oAuth2 connection without using client/secret. I am using an IDP. which has implemented the [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth). From the docs of the IdP: The IdP implements the [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth), preferably with [PKCE](https://oauth.net/2/pkce/). The PKCE flow is the recommended and most universal authorization flow that supports mobile apps, single page applications and traditional server-rendered applications and doesn't require the exchange of a shared secret. The Flow: 1. user opens a web app (in my case an APISIXROUTE, using openid plugin) 2. code challenge using sha256 is created by the openid plugin 3. redirect to the idp authorization endpoint 4. login of the user 5. redirect to the redirect_url with "authcode" as URL Queryparameter 6. openId plugin uses the authcode to receive a JWT from the idp token endpoint Could you implement this oAuth flow with pkce support? Please add a section to the documentation as well, tkaning care on the configuration of the pkce and the redirect_url Thank you -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
