Allow clients to use PKCE in the authorization code flow

Description

PKCE is an optional component of OAuth that adds security to mitigate the risk of a malicious actor intercepting an authorization code.

See the spec: https://tools.ietf.org/html/rfc7636

Confidential clients MUST NOT be required to use PKCE (this would be a breaking API change). At this time, all clients in Synapse are confidential.

Private clients, when created, should be required to use PKCE.

Environment

None

Assignee

Unassigned

Reporter

Nick Grosenbacher

Labels

None

Validator

Bruce Hoff

Development Area

None

Release Version History

None

Epic Link

Priority

Major
Configure