feat(socialaccount/oauth2): oauth_pkce_enabled per app

ChangeLog.rst

@@ -1,6 +1,13 @@
-65.1.1 (unreleased)
+65.2.0 (unreleased)
 *******************
 
+Note worthy changes
+-------------------
+
+- OIDC: You can now configure whether or not PKCE is enabled per app by
+  including ``"oauth_pkce_enabled": True`` in the app settings.
+
+
 Fixes
 -----
 

allauth/__init__.py

@@ -8,7 +8,7 @@
 
 """
 
-VERSION = (65, 1, 1, "dev", 0)
+VERSION = (65, 2, 0, "dev", 0)
 
 __title__ = "django-allauth"
 __version_info__ = VERSION

allauth/socialaccount/providers/oauth2/provider.py

@@ -30,9 +30,12 @@ def get_login_url(self, request, **kwargs):
     def get_callback_url(self):
         return reverse(self.id + "_callback")
 
-    def get_pkce_params(self):
-        settings = self.get_settings()
-        if settings.get("OAUTH_PKCE_ENABLED", self.pkce_enabled_default):
+    def get_pkce_params(self) -> dict:
+        enabled = self.app.settings.get("oauth_pkce_enabled")
+        if enabled is None:
+            settings = self.get_settings()
+            enabled = settings.get("OAUTH_PKCE_ENABLED", self.pkce_enabled_default)
+        if enabled:
             pkce_code_params = generate_code_challenge()
             return pkce_code_params
         return {}

allauth/socialaccount/providers/oauth2/tests/test_views.py

@@ -38,21 +38,31 @@ def test_samesite_strict(
         assertTemplateUsed(resp, "socialaccount/authentication_error.html")
 
 
-def test_config_from_app_settings(google_provider_settings, rf, db, settings):
+@pytest.mark.parametrize("pkce_enabled", [False, True])
+def test_config_from_app_settings(
+    google_provider_settings, rf, db, settings, pkce_enabled
+):
     settings.SOCIALACCOUNT_PROVIDERS["google"]["APPS"][0]["settings"] = {
         "scope": ["this", "that"],
         "auth_params": {"x": "y"},
+        "oauth_pkce_enabled": pkce_enabled,
     }
     settings.SOCIALACCOUNT_PROVIDERS["google"]["SCOPE"] = ["not-this"]
     settings.SOCIALACCOUNT_PROVIDERS["google"]["AUTH_PARAMS"] = {"not": "this"}
     provider = get_adapter().get_provider(rf.get("/"), "google")
     assert provider.get_scope() == ["this", "that"]
     assert provider.get_auth_params() == {"x": "y"}
+    assert ("code_verifier" in provider.get_pkce_params().keys()) == pkce_enabled
 
 
-def test_config_from_provider_config(google_provider_settings, rf, db, settings):
+@pytest.mark.parametrize("pkce_enabled", [False, True])
+def test_config_from_provider_config(
+    google_provider_settings, rf, db, settings, pkce_enabled
+):
     settings.SOCIALACCOUNT_PROVIDERS["google"]["SCOPE"] = ["some-scope"]
     settings.SOCIALACCOUNT_PROVIDERS["google"]["AUTH_PARAMS"] = {"auth": "param"}
+    settings.SOCIALACCOUNT_PROVIDERS["google"]["OAUTH_PKCE_ENABLED"] = pkce_enabled
     provider = get_adapter().get_provider(rf.get("/"), "google")
     assert provider.get_scope() == ["some-scope"]
     assert provider.get_auth_params() == {"auth": "param"}
+    assert ("code_verifier" in provider.get_pkce_params().keys()) == pkce_enabled

docs/conf.py

@@ -53,9 +53,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = "65.1.1"
+version = "65.2.0"
 # The full version, including alpha/beta/rc tags.
-release = "65.1.1"
+release = "65.2.0"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/socialaccount/providers/openid_connect.rst

@@ -11,7 +11,7 @@ standalone OpenID Connect provider:
     SOCIALACCOUNT_PROVIDERS = {
         "openid_connect": {
             # Optional PKCE defaults to False, but may be required by your provider
-            # Applies to all APPS.
+            # Can be set globally, or per app (settings).
             "OAUTH_PKCE_ENABLED": True,
             "APPS": [
                 {
@@ -26,6 +26,7 @@ standalone OpenID Connect provider:
                         # If omitted, a method from the the server's
                         # token auth methods list is used
                         "token_auth_method": "client_secret_basic",
+                        "oauth_pkce_enabled": True,
                     },
                 },
                 {