disable PKCE by default

mozilla · Dec 22, 2023 · 99080b2 · 99080b2
1 parent 58b229e
commit 99080b2
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 4 deletions.
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -281,7 +281,7 @@ of ``mozilla-django-oidc``.
 
 .. py:attribute:: OIDC_USE_PKCE
 
-   :default: ``True``
+   :default: ``False``
 
    Controls whether the authentication backend uses PKCE (Proof Key For Code Exchange) during the authorization code flow.
 
@@ -324,4 +324,3 @@ of ``mozilla-django-oidc``.
    .. seealso::
 
       https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
-
diff --git a/mozilla_django_oidc/views.py b/mozilla_django_oidc/views.py
@@ -88,7 +88,6 @@ def get(self, request):
                 auth.logout(request)
             assert not request.user.is_authenticated
         elif "code" in request.GET and "state" in request.GET:
-
             # Check instead of "oidc_state" check if the "oidc_states" session key exists!
             if "oidc_states" not in request.session:
                 return self.login_failure()
@@ -197,7 +196,7 @@ def get(self, request):
             nonce = get_random_string(self.get_settings("OIDC_NONCE_SIZE", 32))
             params.update({"nonce": nonce})
 
-        if self.get_settings("OIDC_USE_PKCE", True):
+        if self.get_settings("OIDC_USE_PKCE", False):
             code_verifier_length = self.get_settings("OIDC_PKCE_CODE_VERIFIER_SIZE", 64)
             # Check that code_verifier_length is between the min and max length
             # defined in https://datatracker.ietf.org/doc/html/rfc7636#section-4.1