Spring Security OAuth2 client, add support of the "plain" code challenge method in PKCE requests.

Hi, I'm working on my project, and i need OAuth2 authentication through 3rd party resourse. It appears, that some providers require PKCE parameters in requests, though their authentication server only supports plain code challenge method. This leads to failure in access token receiving.

Class OAuth2AuthorizationRequestCustomizers, that adds withPkce() method only does S256 code challenge. I'm new to spring security, but it seems that plain support can be done in source code of class OAuth2AuthorizationRequestCustomizers smoothly, while from outside it can be a difficulty.

Thanks for your attention.

Comment From: marcusdacoregio

Hi, @ryhail. The withPkce() method is nothing more than a shortcut that customizes the OAuth2AuthorizationRequest. You can use the customizer the same way the withPkce() method does, for example:

resolver.setAuthorizationRequestCustomizer(builder -> {
    builder.additionalParameters((params) -> {
        String codeChallenge = "challenge";
        params.put(PkceParameterNames.CODE_CHALLENGE, codeChallenge);
        params.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "plain");
    });
});

Does that make sense?

Comment From: ryhail

That looks fine, thanks for the reply.