PKCE configuration for IAM as OAuth 2.0/OIDC authorization server

PKCE configuration for the authorization server

  1. OAuth and OIDC authorization server
  2. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> OAuth 2.0 Grants and Flows >> OIDC Authorization Code / Hybrid Flow
  3. In section Authorization Code in property PKCE Code Challenge Method select S256 required from the drop-down menu.
  4. IAM as an authorization server will enforce the use PKCE for all clients.

The configuration for an OpenID Connect OP is identical.

PKCE configuration overrides for clients

It is possible to change the authorization server's behavior for static clients.

  1. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Static Clients >> OAuth 2.0 Static Client
  2. In section Basic Settings in property PKCE Code Challenge Method select the desired behavior from the drop-down menu.
  3. For this particular client, the authorization server will behave as configured and ignore the default settings.

It is not possible to configure PKCE overrides for dynamically registered clients.