Merge pull request #12563 from IONOS-Productivity/oidc-add-support-for-pkce

OIDC add support for PKCE
2025-06-26 18:26:48 +00:00 · 2025-04-10 09:03:31 -07:00 · 2025-04-10 09:03:31 -07:00 · b40b50fb2d
commit b40b50fb2d
parent e065073bea 5c658a4879
1 changed files with 16 additions and 3 deletions
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -457,6 +457,12 @@ OAUTH_SCOPES = PersistentConfig(
    os.environ.get("OAUTH_SCOPES", "openid email profile"),
 )

+OAUTH_CODE_CHALLENGE_METHOD = PersistentConfig(
+    "OAUTH_CODE_CHALLENGE_METHOD",
+    "oauth.oidc.code_challenge_method",
+    os.environ.get("OAUTH_CODE_CHALLENGE_METHOD", None),
+)
+
 OAUTH_PROVIDER_NAME = PersistentConfig(
    "OAUTH_PROVIDER_NAME",
    "oauth.oidc.provider_name",
@ -602,14 +608,21 @@ def load_oauth_providers():
    ):

        def oidc_oauth_register(client):
+            client_kwargs = {
+                "scope": OAUTH_SCOPES.value,
+            }
+
+            if OAUTH_CODE_CHALLENGE_METHOD.value and OAUTH_CODE_CHALLENGE_METHOD.value == "S256":
+                client_kwargs["code_challenge_method"] = "S256"
+            elif OAUTH_CODE_CHALLENGE_METHOD.value:
+                raise Exception('Code challenge methods other than "%s" not supported. Given: "%s"' % ("S256", OAUTH_CODE_CHALLENGE_METHOD.value))
+
            client.register(
                name="oidc",
                client_id=OAUTH_CLIENT_ID.value,
                client_secret=OAUTH_CLIENT_SECRET.value,
                server_metadata_url=OPENID_PROVIDER_URL.value,
-                client_kwargs={
-                    "scope": OAUTH_SCOPES.value,
-                },
+                client_kwargs=client_kwargs,
                redirect_uri=OPENID_REDIRECT_URI.value,
            )