diff options
author | Patrick Cloke <clokep@users.noreply.github.com> | 2023-01-04 14:58:08 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-04 14:58:08 -0500 |
commit | 630d0aeaf607b4016e67895d81b0402a5dfcc769 (patch) | |
tree | 466fee9b2abd278925824eb602315f6c642aae90 /docs/usage | |
parent | Use env vars in GHA dependabot changelog (#14772) (diff) | |
download | synapse-630d0aeaf607b4016e67895d81b0402a5dfcc769.tar.xz |
Support RFC7636 PKCE in the OAuth 2.0 flow. (#14750)
PKCE can protect against certain attacks and is enabled by default. Support can be controlled manually by setting the pkce_method of each oidc_providers entry to 'auto' (default), 'always', or 'never'. This is required by Twitter OAuth 2.0 support.
Diffstat (limited to 'docs/usage')
-rw-r--r-- | docs/usage/configuration/config_documentation.md | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 23f9dcbea2..ec8403c7e9 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -3053,8 +3053,13 @@ Options for each entry include: values are `client_secret_basic` (default), `client_secret_post` and `none`. +* `pkce_method`: Whether to use proof key for code exchange when requesting + and exchanging the token. Valid values are: `auto`, `always`, or `never`. Defaults + to `auto`, which uses PKCE if supported during metadata discovery. Set to `always` + to force enable PKCE or `never` to force disable PKCE. + * `scopes`: list of scopes to request. This should normally include the "openid" - scope. Defaults to ["openid"]. + scope. Defaults to `["openid"]`. * `authorization_endpoint`: the oauth2 authorization endpoint. Required if provider discovery is disabled. |