Does the IdP OIDC extension support PKCE?

Henri Mikkonen henri.mikkonen at
Fri Aug 21 16:15:59 UTC 2020

Hi Keith,

> On 20 Aug 2020, at 20.56, Wessel, Keith <kwessel at> wrote:
> Just one question from your example: am I correct that, to make this work, we have to apply both step 1 (relying party override) and step 2 (client metadata change)? I assume so but just wanted to make sure that both steps were needed rather than one of the other.

You can configure the supported token endpoint authentication methods for the default OIDC.SSO profile with the “idp.oidc.tokenEndpointAuthMethods” property. As its default value (it's a list) does not contain “none” type, the RPs relying on the default profile configuration cannot have “token_endpoint_auth_method" claim set to “none”. That value would be ignored if it was set.

You could globally enable the “none” type via property, but I believe it’s clearer to use the RelyingPartyOverrides -element instead and enable it only for the RPs that really require it. You probably need to use RelyingPartyOverrides anyway in order to force PKCE (p:forcePKCE) for them.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list