Anyone successfully used remix-auth with PKCE challenges for a code flow?

[pdevito3]

Given the recommendation in OAuth 2.1 of always using PKCE with a code flow, it would be great to have that capability built in somehow (or maybe togglable for those not able to use PKCE yet for some reason).

In the meantime, I'm curious of anyone has an integration working? I started playing around with one for Duende a few weeks ago, but didn't get to solidify things. Here's the repo if anyone is interested

[alindsay55661]

Also interested in a PKCE strategy if you've formalized this.

[outofthisworld]

I have, its pretty standard just need a way of generating code_verifier and code_challenge. Once you've done that set up client and pass front-end URL for redirection. Then post to token endpoint with the code. Since no server is involved it's a pretty easy process. Make sure the client is not set the confidential access type.

I did login in another way too, opting in to using Keycloaks login page directly. You can use remix-auth's authenticator with the OAuth2Strategy provider, set up the config and implement login that way.

[MuzafferDede]

+1, I’ve encountered challenges in finding a reliable solution to address this issue. Despite exploring various options, there doesn't seem to be a straightforward workaround that fits remix app's needs.

[sergiodxa]

The v2 of the OAuth2Strategy comes with PKCE implemented

[MuzafferDede]

Yup, I just found this by checking the OAuth2Strategy source code. Maybe we should mention it in the README? I was trying to set up a Keycloak strategy and got confused about finding PKCE support.