Add support for PKCE in OIDC

config/initializers/omniauth.rb

@@ -18,6 +18,7 @@
                               scope: config.scopes.map(&:to_sym),
                               uid_field: config.uid_field,
                               issuer: config.issuer,
+                              pkce: config.pkce?,
                               discovery: config.discovery?,
                               client_options: client_options
   end

doc/config/environment-variables.md

@@ -103,6 +103,7 @@ This document contains all the environment variables which are available for thi
 | `OIDC_LOCAL_AUTHENTICATION_ENABLED` | Boolean | When enabled, users with passwords will still be able to login locally. If disable, only OpenID Connect will be available. | true |
 | `OIDC_NAME` | String | The name of the OIDC provider as shown in the UI | OIDC Provider |
 | `OIDC_ISSUER` | String | The OIDC issuer URL |  |
+| `OIDC_PKCE` | Boolean | Option to enable Proof Key for Code Exchange by OAuth Public Clients | false |
 | `OIDC_IDENTIFIER` | String | The client ID for OIDC |  |
 | `OIDC_SECRET` | String | The client secret for OIDC |  |
 | `OIDC_SCOPES` | Array of strings | Scopes to request from the OIDC server. | openid,email |

doc/config/yaml.yml

@@ -233,6 +233,8 @@ oidc:
   name: OIDC Provider
   # The OIDC issuer URL
   issuer: 
+  # Set pkce option to true if OIDC provider has this option
+  pkce: 
   # The client ID for OIDC
   identifier: 
   # The client secret for OIDC

lib/postal/config_schema.rb

@@ -539,6 +539,11 @@ module Postal
         description "The OIDC issuer URL"
       end
 
+      boolean :pkce do
+        description "Option to enable Proof Key for Code Exchange by OAuth Public Clients"
+        default false
+      end
+
       string :identifier do
         description "The client ID for OIDC"
       end