Add OIDC PKCE support for public SPA clients #46

New Issue

claude · 2026-03-14T12:39:13+01:00

claude commented

2026-03-14 12:39:13 +01:00

Context

The current OIDC flow relies on client_secret for the token exchange (confidential client). While the secret stays server-side, adding PKCE (Proof Key for Code Exchange) is a security best practice for authorization code flows, especially when the SPA initiates the redirect.

Requirements

SPA generates code_verifier and code_challenge (S256) before redirecting to the OIDC provider
Include code_challenge and code_challenge_method=S256 in the authorization request
Send code_verifier in the callback POST to the server
Server includes code_verifier in the token exchange request to the OIDC provider

Priority

Low — the current flow is secure since the client_secret is server-side. PKCE adds defense-in-depth against authorization code interception.

Reference

RFC 7636 — Proof Key for Code Exchange

## Context The current OIDC flow relies on `client_secret` for the token exchange (confidential client). While the secret stays server-side, adding PKCE (Proof Key for Code Exchange) is a security best practice for authorization code flows, especially when the SPA initiates the redirect. ## Requirements - SPA generates `code_verifier` and `code_challenge` (S256) before redirecting to the OIDC provider - Include `code_challenge` and `code_challenge_method=S256` in the authorization request - Send `code_verifier` in the callback POST to the server - Server includes `code_verifier` in the token exchange request to the OIDC provider ## Priority Low — the current flow is secure since the client_secret is server-side. PKCE adds defense-in-depth against authorization code interception. ## Reference RFC 7636 — Proof Key for Code Exchange

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cameleer/cameleer-server#46