python-keycloak icon indicating copy to clipboard operation
python-keycloak copied to clipboard
verified publisher icon marcospereirampj

No mechanism for PKCE auth built into python-keycloak

Open teward opened this issue 11 months ago • 2 comments

Currently, there is no PKCE capabilities in python-keycloak.

When interacting with Public type endpoints, where PKCE is enabled, it is required to provide several things such as a non-empty State field, a code_challenge_method argument, and a code_challenge argument with a PKCE challenge.

It may be prudent to create auth_url and such endpoints that support PKCE.

teward avatar Jan 27 '25 21:01 teward

Following

arkhdevcloud avatar May 21 '25 15:05 arkhdevcloud

Note that the upcoming OAuth 2.1 spec that is still in draft will require PKCE for public and confidential type clients, so addressing this would be prudent. Even if you include a definition in the client side of pkce= with a default of False would work if implemented.

(Note I have written a separate set of libraries that wraps around direct Keycloak API calls, etc. to handle OAuth client code flow currently with PKCE available to it until python-keycloak updates its stuff.)

teward avatar May 22 '25 21:05 teward