Hi @Teeed , I tried your PR and it was mostly functional.

It seems there is no way to get to the handleAuthCode without actually passing the basic auth (providing a valid client secret). Shouldn't the handling of the secret be deferred only in the case that PKCE flow is not used (ie. when there is no code_verifier?). Making this change allows for PKCE to commence without a secret.

Has there been any progress on implementing PKCE? I've been working on a branch which implements the OAuth 2 Device Authorization Grant, and I know that to make a fully featured native app flow, PKCE should be included as well. Would be beneficial not to duplicate work

Yeah. First of all: sorry for not responding for such a long time. Thanks for raising issues! 👍

Company which I work for (and which allowed me to push these changes to upstream) decided that this changes are no longer needed and hence development of these changes was stalled. I currently work on different projects, so I do not have time (and business reason 😕) to fix raised issues.

If anyone wants to continue this work - please do!

Hi @Teeed, thanks for your efforts here.
Please allow me a stupid question, since I'm not familiar with the codebase:

Does this add:

1. PKCE for the client (e.g. a single-page app) connecting to Dex, or
2. PKCE for Dex connecting to the upstream IdP (if this makes sense at all...)?

We would be interested in case 1.

Hi @Teeed ,

If anyone wants to continue this work - please do!

Our company wants to finish your work.
Could you please sign off your commit, meaning that you accept the Dex DCO?
Otherwise, I'm not sure if we're allowed to reuse your work in our follow-up PR.

Signing off the commit should work like this:

git checkout <BRANCH>
git commit --amend --signoff
git push --force-with-lease <ORIGIN> <BRANCH>

Thanks

This PR can be closed as #1784, which is based on this, has been merged. Thanks again to @Teeed for his work!

Closing, as these changes got merged with #1784