backport of commit 677d98a

hashicorp · Jan 22, 2024 · bb1d38a · bb1d38a
1 parent 2a72f2a
commit bb1d38a
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 1 deletion.
diff --git a/changelog/24979.txt b/changelog/24979.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+oidc/provider: Adds `code_challenge_methods_supported` to OpenID Connect Metadata
+```
diff --git a/vault/identity_store_oidc_provider.go b/vault/identity_store_oidc_provider.go
@@ -166,6 +166,7 @@ type providerDiscovery struct {
 	Subjects              []string `json:"subject_types_supported"`
 	GrantTypes            []string `json:"grant_types_supported"`
 	AuthMethods           []string `json:"token_endpoint_auth_methods_supported"`
+	CodeChallengeMethods  []string `json:"code_challenge_methods_supported"`
 }
 
 type authCodeCacheEntry struct {
@@ -1572,6 +1573,10 @@ func (i *IdentityStore) pathOIDCProviderDiscovery(ctx context.Context, req *logi
 			"client_secret_basic",
 			"client_secret_post",
 		},
+		CodeChallengeMethods: []string{
+			codeChallengeMethodPlain,
+			codeChallengeMethodS256,
+		},
 	}
 
 	data, err := json.Marshal(disc)

diff --git a/vault/identity_store_oidc_provider_test.go b/vault/identity_store_oidc_provider_test.go
@@ -3637,6 +3637,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
 		AuthMethods:           []string{"none", "client_secret_basic", "client_secret_post"},
 		RequestParameter:      false,
 		RequestURIParameter:   false,
+		CodeChallengeMethods:  []string{codeChallengeMethodPlain, codeChallengeMethodS256},
 	}
 	discoveryResp := &providerDiscovery{}
 	json.Unmarshal(resp.Data["http_raw_body"].([]byte), discoveryResp)
@@ -3693,6 +3694,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
 		AuthMethods:           []string{"none", "client_secret_basic", "client_secret_post"},
 		RequestParameter:      false,
 		RequestURIParameter:   false,
+		CodeChallengeMethods:  []string{codeChallengeMethodPlain, codeChallengeMethodS256},
 	}
 	discoveryResp = &providerDiscovery{}
 	json.Unmarshal(resp.Data["http_raw_body"].([]byte), discoveryResp)

diff --git a/website/content/api-docs/secret/identity/oidc-provider.mdx b/website/content/api-docs/secret/identity/oidc-provider.mdx
@@ -605,7 +605,12 @@ $ curl \
     "client_secret_basic",
     "client_secret_post",
     "none"
-  ]}
+  ],
+  "code_challenge_methods_supported": [
+    "plain",
+    "S256"
+  ]
+}
 ```
 
 ## Read provider public keys

diff --git a/website/content/docs/secrets/identity/oidc-provider.mdx b/website/content/docs/secrets/identity/oidc-provider.mdx
@@ -127,6 +127,10 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t
        "none",
        "client_secret_basic",
        "client_secret_post"
+     ],
+     "code_challenge_methods_supported": [
+       "plain",
+       "S256"
      ]
    }
    ```