IdentityPython · rohe · Apr 9, 2023 · Feb 9, 2023
diff --git a/src/idpyoidc/message/oauth2/__init__.py b/src/idpyoidc/message/oauth2/__init__.py
@@ -352,6 +352,7 @@ class ASConfigurationResponse(Message):
             "ui_locales_supported": OPTIONAL_LIST_OF_STRINGS,
             "op_policy_uri": SINGLE_OPTIONAL_STRING,
             "op_tos_uri": SINGLE_OPTIONAL_STRING,
+            "code_challenge_methods_supported": OPTIONAL_LIST_OF_STRINGS,
             "revocation_endpoint": SINGLE_OPTIONAL_STRING,
             "introspection_endpoint": SINGLE_OPTIONAL_STRING,
         }

diff --git a/src/idpyoidc/message/oidc/__init__.py b/src/idpyoidc/message/oidc/__init__.py
@@ -898,7 +898,8 @@ class ProviderConfigurationResponse(ResponseMessage):
             "frontchannel_logout_supported": SINGLE_OPTIONAL_BOOLEAN,
             "frontchannel_logout_session_required": SINGLE_OPTIONAL_BOOLEAN,
             "backchannel_logout_supported": SINGLE_OPTIONAL_BOOLEAN,
-            "backchannel_logout_session_required": SINGLE_OPTIONAL_BOOLEAN
+            "backchannel_logout_session_required": SINGLE_OPTIONAL_BOOLEAN,
+            "code_challenge_methods_supported": OPTIONAL_LIST_OF_STRINGS,
             # "jwk_encryption_url": SINGLE_OPTIONAL_STRING,
             # "x509_url": SINGLE_REQUIRED_STRING,
             # "x509_encryption_url": SINGLE_OPTIONAL_STRING,

diff --git a/src/idpyoidc/server/oauth2/authorization.py b/src/idpyoidc/server/oauth2/authorization.py
@@ -348,6 +348,7 @@ class Authorization(Endpoint):
         "request_object_encryption_alg_values_supported": claims.get_encryption_algs,
         "request_object_encryption_enc_values_supported": claims.get_encryption_encs,
         # "grant_types_supported": ["authorization_code", "implicit"],
+        "code_challenge_methods_supported": ["S256"],
         "scopes_supported": [],
     }
     default_capabilities = {
@@ -1087,7 +1088,7 @@ def process_request(
         :return: dictionary
         """
 
-        if isinstance(request, self.error_cls):
+        if "error" in request:
             return request
 
         _cid = request["client_id"]

diff --git a/src/idpyoidc/server/oidc/add_on/pkce.py b/src/idpyoidc/server/oidc/add_on/pkce.py
@@ -51,7 +51,7 @@ def post_authn_parse(request, client_id, context, **kwargs):
         )
 
     if "code_challenge_method" not in request:
-        request["code_challenge_method"] = "plain"
+        request["code_challenge_method"] = "S256"
 
     if "code_challenge" in request and (
         request["code_challenge_method"]
@@ -140,7 +140,17 @@ def add_pkce_support(endpoint: Dict[str, Endpoint], **kwargs):
     token_endpoint.post_parse_request.append(post_token_parse)
 
     code_challenge_methods = kwargs.get("code_challenge_methods", CC_METHOD.keys())
-
+    code_challenge_methods = list(
+        set(code_challenge_methods).intersection(
+            authn_endpoint._supports["code_challenge_methods_supported"]
+        )
+    )
+    if not code_challenge_methods:
+        raise ValueError(
+            "Unsupported method: {}".format(
+                ", ".join(kwargs.get("code_challenge_methods", CC_METHOD.keys()))
+            )
+        )
     kwargs["code_challenge_methods"] = {}
     for method in code_challenge_methods:
         if method not in CC_METHOD:

diff --git a/src/idpyoidc/server/oidc/authorization.py b/src/idpyoidc/server/oidc/authorization.py
@@ -77,18 +77,21 @@ class Authorization(authorization.Authorization):
     name = "authorization"
 
     _supports = {
-        "claims_parameter_supported": True,
-        "encrypt_request_object_supported": False,
-        "request_object_signing_alg_values_supported": claims.get_signing_algs,
-        "request_object_encryption_alg_values_supported": claims.get_encryption_algs,
-        "request_object_encryption_enc_values_supported": claims.get_encryption_encs,
-        "request_parameter_supported": True,
-        "request_uri_parameter_supported": True,
-        "require_request_uri_registration": False,
-        "response_types_supported": ["code", "token", "code token", 'id_token', 'id_token token',
+        **authorization.Authorization._supports,
+        **{
+            "claims_parameter_supported": True,
+            "encrypt_request_object_supported": False,
+            "request_object_signing_alg_values_supported": claims.get_signing_algs,
+            "request_object_encryption_alg_values_supported": claims.get_encryption_algs,
+            "request_object_encryption_enc_values_supported": claims.get_encryption_encs,
+            "request_parameter_supported": True,
+            "request_uri_parameter_supported": True,
+            "require_request_uri_registration": False,
+            "response_types_supported": ["code", "token", "code token", 'id_token', 'id_token token',
                                      'code id_token', 'code id_token token'],
-        "response_modes_supported": ['query', 'fragment', 'form_post'],
-        "subject_types_supported": ["public", "pairwise", "ephemeral"],
+            "response_modes_supported": ['query', 'fragment', 'form_post'],
+            "subject_types_supported": ["public", "pairwise", "ephemeral"],
+          },
     }
 
     def __init__(self, upstream_get: Callable, **kwargs):

diff --git a/tests/test_08_transform.py b/tests/test_08_transform.py
@@ -117,7 +117,8 @@ def test_oidc_setup(self):
                                      'service_documentation',
                                      'token_endpoint',
                                      'ui_locales_supported',
-                                     'userinfo_endpoint'}
+                                     'userinfo_endpoint',
+                                     'code_challenge_methods_supported'}
 
         # parameters that are not mapped against what the OP's provider info says
         assert set(self.supported).difference(

diff --git a/tests/test_server_33_oauth2_pkce.py b/tests/test_server_33_oauth2_pkce.py
@@ -367,24 +367,6 @@ def test_unknown_code_challenge_method(self):
             _authn_req["code_challenge_method"]
         )
 
-    def test_unsupported_code_challenge_method(self, conf):
-        conf["add_on"]["pkce"]["kwargs"]["code_challenge_methods"] = ["plain"]
-        server = create_server(conf)
-        authn_endpoint = server.get_endpoint("authorization")
-
-        _cc_info = _code_challenge()
-        _authn_req = AUTH_REQ.copy()
-        _authn_req["code_challenge"] = _cc_info["code_challenge"]
-        _authn_req["code_challenge_method"] = _cc_info["code_challenge_method"]
-
-        _pr_resp = authn_endpoint.parse_request(_authn_req.to_dict())
-
-        assert isinstance(_pr_resp, AuthorizationErrorResponse)
-        assert _pr_resp["error"] == "invalid_request"
-        assert _pr_resp["error_description"] == "Unsupported code_challenge_method={}".format(
-            _authn_req["code_challenge_method"]
-        )
-
     def test_wrong_code_verifier(self):
         _cc_info = _code_challenge()
         _authn_req = AUTH_REQ.copy()