Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 PKCE extension #7046

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

OAuth2 PKCE extension #7046

wants to merge 4 commits into from

Conversation

ManHatos
Copy link
Contributor

@ManHatos ManHatos commented Jul 31, 2024

https://datatracker.ietf.org/doc/html/rfc7636
Looks like Discord's OAuth2 implementation partially supports the extension
Will finish this PR when I get time or someone else does ig

Closes #5254

@ManHatos
Copy link
Contributor Author

ManHatos commented Aug 1, 2024

Notes:

  1. As per Support Custom Scheme Redirect URIs in OAuth2 #450 (comment) + Deep Linking with OAuth2 Not Working. #1296 (comment), clients with custom redirect URIs must use PKCE
  2. As per section 4.1 of the spec, the code_verifier must be at least 43 chars long, Discord strictly enforces this
  3. (?) the role_connections.write scope does not support PKCE (Cannot use role_connections.write scope with PKCE #5751 (comment))
  4. refresh_token grants do not support PKCE The channel_id field is nullable if the user is disconnecting. #553, you can now refresh tokens on public OAuth2 apps as per OAuth2: Refreshing does not work with PKCE #5531 (comment)
  5. Only S256 for code_challenge_method is supported otherwise an invalid_request error is returned Unsupported "code_challenge_method"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Missing documentation/mention of OAuth2 PKCE support
2 participants