From c6b16aee28397f4f64ff47a44119fee9010001d1 Mon Sep 17 00:00:00 2001
From: Raymond Penners <raymond.penners@intenct.nl>
Date: Fri, 1 Nov 2024 14:14:44 +0100
Subject: [PATCH] feat(socialaccount/oauth2): oauth_pkce_enabled per app

---
 ChangeLog.rst                                      |  9 ++++++++-
 allauth/__init__.py                                |  2 +-
 allauth/socialaccount/providers/oauth2/provider.py |  9 ++++++---
 .../providers/oauth2/tests/test_views.py           | 14 ++++++++++++--
 docs/conf.py                                       |  4 ++--
 docs/socialaccount/providers/openid_connect.rst    |  3 ++-
 6 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/ChangeLog.rst b/ChangeLog.rst
index 001aa71525..5263162786 100644
--- a/ChangeLog.rst
+++ b/ChangeLog.rst
@@ -1,6 +1,13 @@
-65.1.1 (unreleased)
+65.2.0 (unreleased)
 *******************
 
+Note worthy changes
+-------------------
+
+- OIDC: You can now configure whether or not PKCE is enabled per app by
+  including ``"oauth_pkce_enabled": True`` in the app settings.
+
+
 Fixes
 -----
 
diff --git a/allauth/__init__.py b/allauth/__init__.py
index 203803d20b..6d9d6c972f 100644
--- a/allauth/__init__.py
+++ b/allauth/__init__.py
@@ -8,7 +8,7 @@
 
 """
 
-VERSION = (65, 1, 1, "dev", 0)
+VERSION = (65, 2, 0, "dev", 0)
 
 __title__ = "django-allauth"
 __version_info__ = VERSION
diff --git a/allauth/socialaccount/providers/oauth2/provider.py b/allauth/socialaccount/providers/oauth2/provider.py
index feca58138a..d792c81c23 100644
--- a/allauth/socialaccount/providers/oauth2/provider.py
+++ b/allauth/socialaccount/providers/oauth2/provider.py
@@ -30,9 +30,12 @@ def get_login_url(self, request, **kwargs):
     def get_callback_url(self):
         return reverse(self.id + "_callback")
 
-    def get_pkce_params(self):
-        settings = self.get_settings()
-        if settings.get("OAUTH_PKCE_ENABLED", self.pkce_enabled_default):
+    def get_pkce_params(self) -> dict:
+        enabled = self.app.settings.get("oauth_pkce_enabled")
+        if enabled is None:
+            settings = self.get_settings()
+            enabled = settings.get("OAUTH_PKCE_ENABLED", self.pkce_enabled_default)
+        if enabled:
             pkce_code_params = generate_code_challenge()
             return pkce_code_params
         return {}
diff --git a/allauth/socialaccount/providers/oauth2/tests/test_views.py b/allauth/socialaccount/providers/oauth2/tests/test_views.py
index f0ebd1a877..bcec681244 100644
--- a/allauth/socialaccount/providers/oauth2/tests/test_views.py
+++ b/allauth/socialaccount/providers/oauth2/tests/test_views.py
@@ -38,21 +38,31 @@ def test_samesite_strict(
         assertTemplateUsed(resp, "socialaccount/authentication_error.html")
 
 
-def test_config_from_app_settings(google_provider_settings, rf, db, settings):
+@pytest.mark.parametrize("pkce_enabled", [False, True])
+def test_config_from_app_settings(
+    google_provider_settings, rf, db, settings, pkce_enabled
+):
     settings.SOCIALACCOUNT_PROVIDERS["google"]["APPS"][0]["settings"] = {
         "scope": ["this", "that"],
         "auth_params": {"x": "y"},
+        "oauth_pkce_enabled": pkce_enabled,
     }
     settings.SOCIALACCOUNT_PROVIDERS["google"]["SCOPE"] = ["not-this"]
     settings.SOCIALACCOUNT_PROVIDERS["google"]["AUTH_PARAMS"] = {"not": "this"}
     provider = get_adapter().get_provider(rf.get("/"), "google")
     assert provider.get_scope() == ["this", "that"]
     assert provider.get_auth_params() == {"x": "y"}
+    assert ("code_verifier" in provider.get_pkce_params().keys()) == pkce_enabled
 
 
-def test_config_from_provider_config(google_provider_settings, rf, db, settings):
+@pytest.mark.parametrize("pkce_enabled", [False, True])
+def test_config_from_provider_config(
+    google_provider_settings, rf, db, settings, pkce_enabled
+):
     settings.SOCIALACCOUNT_PROVIDERS["google"]["SCOPE"] = ["some-scope"]
     settings.SOCIALACCOUNT_PROVIDERS["google"]["AUTH_PARAMS"] = {"auth": "param"}
+    settings.SOCIALACCOUNT_PROVIDERS["google"]["OAUTH_PKCE_ENABLED"] = pkce_enabled
     provider = get_adapter().get_provider(rf.get("/"), "google")
     assert provider.get_scope() == ["some-scope"]
     assert provider.get_auth_params() == {"auth": "param"}
+    assert ("code_verifier" in provider.get_pkce_params().keys()) == pkce_enabled
diff --git a/docs/conf.py b/docs/conf.py
index 990ea43395..d49ac0536c 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -53,9 +53,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = "65.1.1"
+version = "65.2.0"
 # The full version, including alpha/beta/rc tags.
-release = "65.1.1"
+release = "65.2.0"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/docs/socialaccount/providers/openid_connect.rst b/docs/socialaccount/providers/openid_connect.rst
index 0da1ee2682..729958ea88 100644
--- a/docs/socialaccount/providers/openid_connect.rst
+++ b/docs/socialaccount/providers/openid_connect.rst
@@ -11,7 +11,7 @@ standalone OpenID Connect provider:
     SOCIALACCOUNT_PROVIDERS = {
         "openid_connect": {
             # Optional PKCE defaults to False, but may be required by your provider
-            # Applies to all APPS.
+            # Can be set globally, or per app (settings).
             "OAUTH_PKCE_ENABLED": True,
             "APPS": [
                 {
@@ -26,6 +26,7 @@ standalone OpenID Connect provider:
                         # If omitted, a method from the the server's
                         # token auth methods list is used
                         "token_auth_method": "client_secret_basic",
+                        "oauth_pkce_enabled": True,
                     },
                 },
                 {