Add code_challenge_methods_supported property to OIDC auto discovery

gutard · gutard · commit 2ddebf0aa61d · 2023-11-13T14:44:53.000+01:00
Fix #1249
diff --git a/AUTHORS b/AUTHORS
@@ -52,6 +52,7 @@ Egor Poderiagin
 Emanuele Palazzetti
 Federico Dolce
 Frederico Vieira
+Gaël Utard
 Hasan Ramezani
 Hiroki Kiyohara
 Hossein Shakiba
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
+* #1249 Add code_challenge_methods_supported property to auto discovery informations
 
 ### Fixed
 * #1322 Instructions in documentation on how to create a code challenge and code verifier
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
@@ -26,6 +26,7 @@
 from ..forms import ConfirmLogoutForm
 from ..http import OAuth2ResponseRedirect
 from ..models import (
+    AbstractGrant,
     get_access_token_model,
     get_application_model,
     get_id_token_model,
@@ -96,6 +97,7 @@ def get(self, request, *args, **kwargs):
             "token_endpoint_auth_methods_supported": (
                 oauth2_settings.OIDC_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED
             ),
+            "code_challenge_methods_supported": [key for key, _ in AbstractGrant.CODE_CHALLENGE_METHODS],
             "claims_supported": oidc_claims,
         }
         if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
@@ -48,6 +48,7 @@ def test_get_connect_discovery_info(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
         response = self.client.get(reverse("oauth2_provider:oidc-connect-discovery-info"))
@@ -74,6 +75,7 @@ def expect_json_response_with_rp(self, base):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
             "end_session_endpoint": f"{base}/logout/",
         }
@@ -107,6 +109,7 @@ def test_get_connect_discovery_info_without_issuer_url(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
         response = self.client.get(reverse("oauth2_provider:oidc-connect-discovery-info"))
