From 5cdbdbf215bf31874c896dbc8208c551311e1bef Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <Tom-Hubrecht@users.noreply.github.com>
Date: Mon, 28 Apr 2025 12:54:30 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8(settings)=20Allow=20configuring=20PKC?=
 =?UTF-8?q?E=20for=20the=20SSO=20(#886)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

C.f.
https://mozilla-django-oidc.readthedocs.io/en/latest/settings.html#OIDC_USE_PKCE

## Purpose

Add pkce settings

## Proposal
Get the settings from the environment

Signed-off-by: Tom Hubrecht <github@mail.hubrecht.ovh>
---
 CHANGELOG.md                    |  1 +
 src/backend/impress/settings.py | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7ac31a5a..63f8675b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to
 
 - 🚸(backend) make document search on title accent-insensitive #874
 - 🚩 add homepage feature flag #861
+- ✨(settings) Allow configuring PKCE for the SSO #886
 
 ## Changed
 
diff --git a/src/backend/impress/settings.py b/src/backend/impress/settings.py
index 55e7909b..8c028bad 100755
--- a/src/backend/impress/settings.py
+++ b/src/backend/impress/settings.py
@@ -520,6 +520,17 @@ class Base(Configuration):
         environ_name="OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION",
         environ_prefix=None,
     )
+    OIDC_USE_PKCE = values.BooleanValue(
+        default=False, environ_name="OIDC_USE_PKCE", environ_prefix=None
+    )
+    OIDC_PKCE_CODE_CHALLENGE_METHOD = values.Value(
+        default="S256",
+        environ_name="OIDC_PKCE_CODE_CHALLENGE_METHOD",
+        environ_prefix=None,
+    )
+    OIDC_PKCE_CODE_VERIFIER_SIZE = values.IntegerValue(
+        default=64, environ_name="OIDC_PKCE_CODE_VERIFIER_SIZE", environ_prefix=None
+    )
 
     # WARNING: Enabling this setting allows multiple user accounts to share the same email
     # address. This may cause security issues and is not recommended for production use when