From bc0abd6b3835d19bc2335e5a9aa77a062e0f0759 Mon Sep 17 00:00:00 2001
From: Yuqiu Wang <yuqiuw@indeed.com>
Date: Tue, 12 Sep 2023 16:36:30 -0500
Subject: [PATCH] add OIDC_CODE_CHALLENGE

---
 server/index.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index 050a1ce..b60cdab 100644
--- a/server/index.js
+++ b/server/index.js
@@ -13,6 +13,7 @@ const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID;
 const OIDC_SECRET = process.env.OIDC_SECRET;
 const OIDC_URL = process.env.OIDC_URL;
 const OIDC_SCOPES = process.env.OIDC_SCOPES || 'openid email';
+const OIDC_CODE_CHALLENGE = process.env.OIDC_CODE_CHALLENGE || '';
 const OIDC_CODE_CHALLENGE_METHOD = process.env.OIDC_CODE_CHALLENGE_METHOD || 'plain';
 const OIDC_METADATA = JSON.parse(process.env.OIDC_METADATA || '{}');
 const clientMetadata = Object.assign({client_id: OIDC_CLIENT_ID, client_secret: OIDC_SECRET}, OIDC_METADATA);
@@ -131,7 +132,18 @@ async function getOidcEndpoint() {
     if (!OIDC_URL) return;
 
     const provider = await getOidcProvider();
-    return provider.authorizationUrl({scope: OIDC_SCOPES, code_challenge_method: OIDC_CODE_CHALLENGE_METHOD});
+    const isUsePKCE = OIDC_CODE_CHALLENGE !== "" && OIDC_CODE_CHALLENGE_METHOD === "S256"
+    let authParams = {
+        scope: OIDC_SCOPES,
+    }
+    if (isUsePKCE) {
+        authParams = {
+            ...authParams,
+            code_challenge: OIDC_CODE_CHALLENGE,
+            code_challenge_method: OIDC_CODE_CHALLENGE_METHOD
+        }
+    }
+    return provider.authorizationUrl(authParams);
 }
 
 async function oidcAuthenticate(code, redirectUri) {