Device Authorization has no PKCE Support
The methods
rp.DeviceAuthorization and rp.DeviceAccessToken don't support PKCE for OPs that require PKCE for device authorization. rp.DeviceAuthorization does support a custom authFn, so you can pass a custom http.FormAuthorization function that adds the code_challenge and code_challenge_method. However, rp.DeviceAccessToken doesn't support an auth function. We worked around this limitation by creating a custom http RoundTripper that adds code_verifier to the form data and then rewrites the request body before sending it. Should I open an issue for this?3 Replies
hey @Jon @ Posit good morning, pls go ahead and opena an issue, this was a neat finding 😄
GitHub
zitadel/oidc
Easy to use OpenID Connect client and server library written for Go and certified by the OpenID Foundation - zitadel/oidc
hey @Jon @ Posit thanks for this