add documentation for pkce config

config-example.yaml

@@ -369,6 +369,11 @@ unix_socket_permission: "0770"
 #   allowed_users:
 #     - [email protected]
 #
+#   # Optional: Enable PKCE (Proof Key for Code Exchange) support for enhanced security
+#   # and prevent CSRF attacks.
+#   # See https://datatracker.ietf.org/doc/html/rfc7636
+#   enable_pkce: false
+#
 #   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
 #   # by taking the username from the legacy user and matching it with the username
 #   # provided by the OIDC. This is useful when migrating from legacy users to OIDC

docs/ref/oidc.md

@@ -45,6 +45,12 @@ oidc:
   allowed_users:
     - [email protected]
 
+  # Optional: Enable PKCE (Proof Key for Code Exchange) support for enhanced security and prevent CSRF attacks
+  # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+  # by preventing authorization code interception attacks
+  # See https://datatracker.ietf.org/doc/html/rfc7636
+  enable_pkce: false
+
   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
   # This will transform `[email protected]` to the user `first-name.last-name`
   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following