Implement PKCE for OpenID Connect - Unable to login with LogTo

[mhkarimi1383]

Description

Hi,
I want to connect my Gitea instance to Logto OpenID connect
but I'm getting 421 status code with the error below in gitea container logs

2022/10/08 09:53:16 ...rs/web/auth/oauth.go:834:SignInOAuthCallback() [I] [63411754] Failed OAuth callback: (invalid_request) Authorization Server policy requires PKCE to be used for this request

I'm not able to do it in demo site since my logto instance is not fully available in public

Gitea Version

1.17.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker Container

Database

PostgreSQL

[zeripath]

Unfortunately the upstream library we use https://github.com/markbates/goth doesn't appear to implement PKCE authentication for OpenIDConnect - and therefore it looks like we don't support it.

I'm not certain because although I've read the OAuth specs several times it was a while ago, but I'm not certain that it would necesarily be too difficult to implement.

[mhkarimi1383]

I think someone fixed that for zoom authentication markbates/goth#459
I think it's good to make it for OpenID Connect too...

[mhkarimi1383]

I created an issue in https://github.com/markbates/goth: markbates/goth#473
we can close this one I think
Or
Keep it open and wait for update...

[zeripath]

We should keep this issue open as a marker to add the changes once the associated PR is merged.

[sedadas]

Hello,
I would also like to see this implemented. I am attempting to use ownCloud Infinite Scale with Gitea as an IDP, but it does not work, because OICS only supports login with PKCE: owncloud/ocis#2445
What would be the effort, given that Gitea is now also using a version of goth that supports this?

[lunny]

Gitea now are using 1.76.0 which have included markbates/goth#474 . So this has been resolved? @zeripath @techknowlogick

[techknowlogick]

per the comment in #21426 (comment), work needs to be done on Gitea's side to be able to support this.