Hinara
Hinara2d ago

Cannot generate PKCE secret

Hello, I had some discussion with forgejo community while trying to enable PKCE on it, however the told me that you technically should have a secret while using PKCE which is not possible to generate in Zitadel with PKCE framework https://codeberg.org/forgejo/forgejo/issues/6014 
Note: Because PKCE is not a replacement for client authentication, it does not allow treating a public client as a confidential client.
Note: Because PKCE is not a replacement for client authentication, it does not allow treating a public client as a confidential client.
https://oauth.net/2/pkce/ It seems technically possible by temporarily converting your app to a regular Code application then convert it back to a PKCE one ? Or just use Code and app supporing PKCE should try to use it ? I'm a bit lost on that specific topic, and what makes it even more confusing is that Zitadel recommend using PKCE but the fact that there is no client_secret might make it less secure in certain use case.
Codeberg.org
bug: Client Secret is a required field in OIDC authentication sourc...
Can you reproduce the bug on the Forgejo test instance? No Description As was tracked by #2766, forgejo supports using PKCE as an OpenID Connect client. However, when utilizing PKCE a client secret is not actually required. Thus, the client secret field should be optional instead of re...
4 Replies
Ask Inkeep
Ask Inkeep2d ago
Hi @Hinara, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. PKCE with optional Client Secret : Discussion about support for using PKCE together with a client secret, and feedback that PKCE is not a replacement for client authentication. 2. Authenticate users with OpenID Connect : Explains ZITADEL's recommended use of PKCE for public clients and the available authentication methods for different application types. Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Hinara
HinaraOP2d ago
I do not know if it should be considered a bug or a feature in that case as PKCE application should be able to generate a secret but some of them might not require the validation of the client_secret by zitadel API I suppose ?
Ask Inkeep
Ask Inkeep2d ago
Glad I could be helpful. Feel free to create a new thread with any new questions you may have. Glad I could be helpful. Feel free to create a new thread with any new questions you may have. Got it. Tagging @Rajat for additional help.
Hinara
HinaraOP2d ago
Reopen sorry After some check it appears that Code authentication does PKCE if available even if it is not the PKCE framework in Zitadel Maybe mention it somewhere in the documentation, and might be a good idea to force PKCE on Code framework ?

Did you find this page helpful?