From c07eb86765603380107bd6ab7bc2f95c510083f7 Mon Sep 17 00:00:00 2001
From: Eric Mc Sween <5454374+emcsween@users.noreply.github.com>
Date: Thu, 8 May 2025 11:13:59 -0400
Subject: [PATCH] Configure PKCE support in OAuth clients (#25300)

This flag will control whether or not a particular client is allowed to
use PKCE instead of a client secret when requesting an access token.

GitOrigin-RevId: b9471112a485233308410e0cb7f20e20a613a971
---
 .../web/scripts/oauth/register_client.mjs     | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/services/web/scripts/oauth/register_client.mjs b/services/web/scripts/oauth/register_client.mjs
index a3b798155b..8ca97f7321 100644
--- a/services/web/scripts/oauth/register_client.mjs
+++ b/services/web/scripts/oauth/register_client.mjs
@@ -34,31 +34,45 @@ async function upsertApplication(opts) {
   const key = { id: opts.id }
   const defaults = {}
   const updates = {}
+
   if (opts.name != null) {
     updates.name = opts.name
   }
+
   if (opts.secret != null) {
     updates.clientSecret = hashSecret(opts.secret)
   }
+
   if (opts.grants != null) {
     updates.grants = opts.grants
   } else {
     defaults.grants = []
   }
+
   if (opts.scopes != null) {
     updates.scopes = opts.scopes
   } else {
     defaults.scopes = []
   }
+
   if (opts.redirectUris != null) {
     updates.redirectUris = opts.redirectUris
   } else {
     defaults.redirectUris = []
   }
+
   if (opts.mongoId != null) {
     defaults._id = new ObjectId(opts.mongoId)
   }
 
+  if (opts.enablePkce) {
+    updates.pkceEnabled = true
+  }
+
+  if (opts.disablePkce) {
+    updates.pkceEnabled = false
+  }
+
   await db.oauthApplications.updateOne(
     key,
     {
@@ -71,17 +85,24 @@ async function upsertApplication(opts) {
 
 function parseArgs() {
   const args = minimist(process.argv.slice(2), {
-    boolean: ['help'],
+    boolean: ['help', 'enable-pkce', 'disable-pkce'],
   })
+
   if (args.help) {
     usage()
     process.exit(0)
   }
+
   if (args._.length !== 1) {
     usage()
     process.exit(1)
   }
 
+  if (args['enable-pkce'] && args['disable-pkce']) {
+    console.error('Options --enable-pkce and --disable-pkce are exclusive')
+    process.exit(1)
+  }
+
   return {
     id: args._[0],
     mongoId: args['mongo-id'],
@@ -90,6 +111,8 @@ function parseArgs() {
     scopes: toArray(args.scope),
     grants: toArray(args.grant),
     redirectUris: toArray(args['redirect-uri']),
+    enablePkce: args['enable-pkce'],
+    disablePkce: args['disable-pkce'],
   }
 }
 
@@ -105,6 +128,8 @@ Options:
     --grant           Accepted grant type (can be given more than once)
     --redirect-uri    Accepted redirect URI (can be given more than once)
     --mongo-id        Mongo ID to use if the configuration is created (optional)
+    --enable-pkce     Enable PKCE
+    --disable-pkce    Disable PKCE
 `)
 }