Support PKCE flow for OAuth apps

[jimafisk]

GitHub let's you authorize apps using OAuth but the supported grants require a server, making it difficult for clientside apps.

This requires Jamstack git-backed CMS projects like NetlifyCMS manage an intermediary server separately: https://www.netlifycms.org/docs/github-backend/ (same with TinaCMS and my project Plenti).

The Implicit Grant type was not allowed because of security issues, but Proof Key for Code Exchange (PKCE) should allow clientside apps to operate securely.

GitLab already implements this in their OAuth 2.0 identity provider API: https://docs.gitlab.com/ee/api/oauth2.html#authorization-code-with-proof-key-for-code-exchange-pkce

Thank you!

[jimafisk]

Another related discussion: https://github.com/orgs/community/discussions/40077

And documentation issue: github/docs#22270

[madhurigopal]

I think we need to Authorize using a local instance of a DB with Cloud connectors something that Langfuse folks do! Do check it out.

[writeonlycode]

I would love see support for PKCE as well. It would make a huge difference for JAMStack websites.

[gopi-suvanam]

+1

PKCE is important for decoupling services and UI..

[hickford]

PR to clarify that PKCE is not supported github/docs#24965

[Tachi107]

GitHub now supports the Device Authorization Grant, which does not require a server.

This is not an excuse to not support PKCE, since its usage is recommended (and sometimes required) starting with the upcoming OAuth 2.1 standard.

[gopi-suvanam]

In device authorizaiton grant, why is there no verification_url_complete ?

[matheuscscp]

Is PKCE missing only for OAuth Apps or is it missing for GitHub Apps as well? The docs here don't mention "pkce" nor "challenge": https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/building-a-login-with-github-button-with-a-github-app

[Tachi107]

Is PKCE missing only for OAuth Apps or is it missing for GitHub Apps as well?

As far as I know, it's also missing from GitHub Apps.