Activate PKCE by default

.env.template

@@ -454,8 +454,8 @@
 #SSO_SCOPES="email profile"
 ## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
 # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
-## Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support.
-# SSO_PKCE=false
+## Activate PKCE for the Auth Code flow.
+# SSO_PKCE=true
 ## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted).
 # SSO_AUDIENCE_TRUSTED='^$'
 ## Set your Client ID and Client Key

SSO.md

@@ -20,7 +20,7 @@ The following configurations are available
  	- $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
  - `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
  - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
- - `SSO_PKCE`: Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support (default `false`).
+ - `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`).
  - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
  - `SSO_CLIENT_ID` : Client Id
  - `SSO_CLIENT_SECRET` : Client Secret
@@ -97,7 +97,6 @@ Server configuration, nothing specific just set:
 - `SSO_AUTHORITY=https://${domain}/realms/${realm_name}`
 - `SSO_CLIENT_ID`
 - `SSO_CLIENT_SECRET`
-- `SSO_PKCE=true`
 
 ### Testing
 
@@ -150,7 +149,6 @@ Server configuration should look like:
 - `SSO_SCOPES="email profile offline_access"`
 - `SSO_CLIENT_ID`
 - `SSO_CLIENT_SECRET`
-- `SSO_PKCE=true`
 
 ## Casdoor
 
@@ -162,7 +160,6 @@ Then configure your server with:
 - `SSO_AUTHORITY=https://${provider_host}`
 - `SSO_CLIENT_ID`
 - `SSO_CLIENT_SECRET`
-- `SSO_PKCE=true`
 
 ## GitLab
 
@@ -177,7 +174,6 @@ Then configure your server with
 - `SSO_AUTHORITY=https://gitlab.com`
 - `SSO_CLIENT_ID`
 - `SSO_CLIENT_SECRET`
-- `SSO_PKCE=true`
 
 ## Google Auth
 
@@ -189,19 +185,12 @@ Configure your server with :
 
 - `SSO_AUTHORITY=https://accounts.google.com`
 - `SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"`
-- `SSO_PKCE=true`
 - `SSO_CLIENT_ID`
 - `SSO_CLIENT_SECRET`
 
 ## Kanidm
 
-Kanidm recommend always running with PKCE:
-
-Config will look like:
-
-- `SSO_PKCE=true`
-
-Otherwise you can disable the PKCE requirement with: `kanidm system oauth2 warning-insecure-client-disable-pkce CLIENT_NAME --name admin`.
+Nothing specific should work with just `SSO_AUTHORITY`, `SSO_CLIENT_ID` and `SSO_CLIENT_SECRET`.
 
 ## Microsoft Entra ID
 

playwright/test.env

@@ -61,7 +61,6 @@ SMTP_TIMEOUT=5
 SSO_CLIENT_ID=VaultWarden
 SSO_CLIENT_SECRET=VaultWarden
 SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM}
-SSO_PKCE=true
 
 ###########################
 # Docker MariaDb container#

src/config.rs

@@ -659,7 +659,7 @@ make_config! {
         /// Authorization request extra parameters
         sso_authorize_extra_params:     String, false,  def,    String::new();
         /// Use PKCE during Authorization flow
-        sso_pkce:                       bool,   false,   def,    false;
+        sso_pkce:                       bool,   false,   def,    true;
         /// Regex for additionnal trusted Id token audience |> By default only the client_id is trsuted.
         sso_audience_trusted:           String, false,  option;
         /// CallBack Path |> Generated from Domain.