From d16722ebf82311cca87593088f1d7eb1d589cab7 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 1 Apr 2026 01:43:53 +0800 Subject: [PATCH] fix(oidc): add PKCE support for keycloak login flow --- app/api/auth.py | 7 +++++++ app/schemas/login.py | 1 + 2 files changed, 8 insertions(+) diff --git a/app/api/auth.py b/app/api/auth.py index 417c8c4..7d15ca1 100644 --- a/app/api/auth.py +++ b/app/api/auth.py @@ -117,6 +117,8 @@ def get_oidc_authorize_url( login_hint: str | None = None, prompt: str = "login", idp_hint: str | None = None, + code_challenge: str | None = None, + code_challenge_method: str | None = None, ) -> OIDCAuthUrlResponse: settings = get_settings() client_id = settings.idp_client_id or settings.idp_audience @@ -137,6 +139,9 @@ def get_oidc_authorize_url( query["login_hint"] = login_hint if idp_hint and settings.use_keycloak: query["kc_idp_hint"] = idp_hint + if code_challenge: + query["code_challenge"] = code_challenge + query["code_challenge_method"] = code_challenge_method or "S256" params = httpx.QueryParams(query) return OIDCAuthUrlResponse(authorize_url=f"{authorize_endpoint}?{params}") @@ -157,6 +162,8 @@ def exchange_oidc_code(payload: OIDCCodeExchangeRequest) -> LoginResponse: "code": payload.code, "redirect_uri": payload.redirect_uri, } + if payload.code_verifier: + form["code_verifier"] = payload.code_verifier try: resp = httpx.post( diff --git a/app/schemas/login.py b/app/schemas/login.py index 3ed8103..c8ee3f5 100644 --- a/app/schemas/login.py +++ b/app/schemas/login.py @@ -20,3 +20,4 @@ class OIDCAuthUrlResponse(BaseModel): class OIDCCodeExchangeRequest(BaseModel): code: str redirect_uri: str + code_verifier: str | None = None