Does the IdP OIDC extension support PKCE?

Wessel, Keith kwessel at
Thu Aug 20 17:56:25 UTC 2020

Thanks so much, Henri, for the quick reply and the excellent news that this is supported.

Just one question from your example: am I correct that, to make this work, we have to apply both step 1 (relying party override) and step 2 (client metadata change)? I assume so but just wanted to make sure that both steps were needed rather than one of the other.


From: users <users-bounces at> On Behalf Of Henri Mikkonen
Sent: Thursday, August 20, 2020 4:29 AM
To: Shib Users <users at>
Subject: Re: Does the IdP OIDC extension support PKCE?

On 20 Aug 2020, at 0.23, Wessel, Keith <kwessel at<mailto:kwessel at>> wrote:

I don't see anything in the OIDC extension docs about this, so I figured I'd ask. Does the OIDC extension support PKCE and the use of a code_challenge parameter in place of a client secret in an authorization request? This is, obviously, in the context of mobile apps and not having to embed the client secret in the app.

Yes, PKCE is supported since 1.1.0. I’ve just added a case example at the end of the following Wiki-page:<>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list