oidc/provider: adds code_challenge_methods_supported to metadata (#24979)

* oidc/provider: adds code_challenge_methods_supported to metadata * adds changelog * adds docs
2026-02-18 18:38:08 -05:00 · 2024-01-22 13:40:13 -08:00 · 2024-01-22 13:40:13 -08:00 · 677d98a821
commit 677d98a821
parent 4811fd1962
5 changed files with 20 additions and 1 deletions
--- a/changelog/24979.txt
+++ b/changelog/24979.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+oidc/provider: Adds `code_challenge_methods_supported` to OpenID Connect Metadata
+```
--- a/vault/identity_store_oidc_provider.go
+++ b/vault/identity_store_oidc_provider.go
@ -166,6 +166,7 @@ type providerDiscovery struct {
 	Subjects              []string `json:"subject_types_supported"`
 	GrantTypes            []string `json:"grant_types_supported"`
 	AuthMethods           []string `json:"token_endpoint_auth_methods_supported"`
+	CodeChallengeMethods  []string `json:"code_challenge_methods_supported"`
 }

 type authCodeCacheEntry struct {
@ -1572,6 +1573,10 @@ func (i *IdentityStore) pathOIDCProviderDiscovery(ctx context.Context, req *logi
 			"client_secret_basic",
 			"client_secret_post",
 		},
+		CodeChallengeMethods: []string{
+			codeChallengeMethodPlain,
+			codeChallengeMethodS256,
+		},
 	}

 	data, err := json.Marshal(disc)
--- a/vault/identity_store_oidc_provider_test.go
+++ b/vault/identity_store_oidc_provider_test.go
@ -3637,6 +3637,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
 		AuthMethods:           []string{"none", "client_secret_basic", "client_secret_post"},
 		RequestParameter:      false,
 		RequestURIParameter:   false,
+		CodeChallengeMethods:  []string{codeChallengeMethodPlain, codeChallengeMethodS256},
 	}
 	discoveryResp := &providerDiscovery{}
 	json.Unmarshal(resp.Data["http_raw_body"].([]byte), discoveryResp)
@ -3693,6 +3694,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
 		AuthMethods:           []string{"none", "client_secret_basic", "client_secret_post"},
 		RequestParameter:      false,
 		RequestURIParameter:   false,
+		CodeChallengeMethods:  []string{codeChallengeMethodPlain, codeChallengeMethodS256},
 	}
 	discoveryResp = &providerDiscovery{}
 	json.Unmarshal(resp.Data["http_raw_body"].([]byte), discoveryResp)
--- a/website/content/api-docs/secret/identity/oidc-provider.mdx
+++ b/website/content/api-docs/secret/identity/oidc-provider.mdx
@ -605,7 +605,12 @@ $ curl \
    "client_secret_basic",
    "client_secret_post",
    "none"
-  ]}
+  ],
+  "code_challenge_methods_supported": [
+    "plain",
+    "S256"
+  ]
+}
 ```

 ## Read provider public keys
--- a/website/content/docs/secrets/identity/oidc-provider.mdx
+++ b/website/content/docs/secrets/identity/oidc-provider.mdx
@ -127,6 +127,10 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t
       "none",
       "client_secret_basic",
       "client_secret_post"
+     ],
+     "code_challenge_methods_supported": [
+       "plain",
+       "S256"
     ]
   }
   ```