doorkeeper-gem · kapschy · Aug 19, 2025 · Aug 19, 2025 · Aug 19, 2025 · Aug 19, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,6 @@
 ## Unreleased
 
-- [#PR ID] Add your changelog entry here.
+- [#226] Respect Doorkeeper's configured `pkce_code_challenge_methods`
 
 ## v1.8.11 (2025-02-10)
 

diff --git a/app/controllers/doorkeeper/openid_connect/discovery_controller.rb b/app/controllers/doorkeeper/openid_connect/discovery_controller.rb
@@ -86,7 +86,7 @@ def response_modes_supported(doorkeeper)
       def code_challenge_methods_supported(doorkeeper)
         return unless doorkeeper.access_grant_model.pkce_supported?
 
-        %w[plain S256]
+        doorkeeper.pkce_code_challenge_methods
       end
 
       def webfinger_response

diff --git a/spec/controllers/discovery_controller_spec.rb b/spec/controllers/discovery_controller_spec.rb
@@ -81,7 +81,7 @@
       end
     end
 
-    context 'when grant_flows is configed with only client_credentials' do
+    context 'when grant_flows is configured with only client_credentials' do
       before { Doorkeeper.configure { grant_flows %w[client_credentials] } }
 
       it 'return empty response_modes_supported' do
@@ -92,7 +92,29 @@
       end
     end
 
-    context 'when grant_flows is configed only implicit flow' do
+    context 'when pkce_code_challenge_methods is configured with only S256' do
+      before { Doorkeeper.configure { pkce_code_challenge_methods %w[S256] } }
+
+      it 'return only S256 in code_challenge_methods_supported' do
+        get :provider
+        data = JSON.parse(response.body)
+
+        expect(data['code_challenge_methods_supported']).to eq %w[S256]
+      end
+    end
+
+    context 'when pkce_code_challenge_methods is configured with only plain' do
+      before { Doorkeeper.configure { pkce_code_challenge_methods %w[plain] } }
+
+      it 'return only plain in code_challenge_methods_supported' do
+        get :provider
+        data = JSON.parse(response.body)
+
+        expect(data['code_challenge_methods_supported']).to eq %w[plain]
+      end
+    end
+
+    context 'when grant_flows is configured only implicit flow' do
       before { Doorkeeper.configure { grant_flows %w[implicit_oidc] } }
 
       it 'return fragment and form_post as response_modes_supported' do
@@ -103,7 +125,7 @@
       end
     end
 
-    context 'when grant_flows is configed with authorization_code and implicit flow' do
+    context 'when grant_flows is configured with authorization_code and implicit flow' do
       before { Doorkeeper.configure { grant_flows %w[authorization_code implicit_oidc] } }
 
       it 'return query, fragment and form_post as response_modes_supported' do

diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -36,9 +36,6 @@
 FactoryBot.find_definitions
 
 RSpec.configure do |config|
-  # Remove this line if you're not using ActiveRecord or ActiveRecord fixtures
-  config.fixture_path = "#{::Rails.root}/spec/fixtures"
-
   # If you're not using ActiveRecord, or you'd prefer not to run each of your
   # examples within a transaction, remove the following line or assign false
   # instead of true.