Pkce not advertised in discovery document

#1

Still learning hydra & OIDC. When using PKCE I understand we need to set code_challenge and code_challenge_method but I do not see any mention of code_challenge_methods_supported in the discovery document (.well-known/openid-configuration). I was expecting something along the lines:

 "code_challenge_methods_supported": [
  "plain",
  "S256"
 ]

Is there a reason for this, or is this an oversight?

#2

I think you’re confiusing OpenID Connect discovery with OAuth 2.0 discovery :slight_smile: The second of which is not supported by hydra atm

#3

I guess I am. rfc8414 mentions code_challenge_methods_supported for the purpose of PKCE (https://tools.ietf.org/html/rfc7636) while all OIDC specs seem not ratified by IETF, while OIDC is said to be a standard on top of oauth 2.0. It is a confusing space to work in.

#4

I asked because I was looking into PKCE, found out about code_challenge_method and found code_challenge_methods_supported in https://accounts.google.com/.well-known/openid-configuration so let me rephrase the question: is Google stretching the specs here? Again, still learning about OIDC, I understand this is not really about Hydra.

#5

That’s possible!