diff --git a/pkg/clusteraccess/access.go b/pkg/clusteraccess/access.go
index f24065e..6e50580 100644
--- a/pkg/clusteraccess/access.go
+++ b/pkg/clusteraccess/access.go
@@ -387,8 +387,8 @@ func createOIDCKubeconfig(opts *CreateOIDCKubeconfigOptions) ([]byte, error) {
 	for _, extraScope := range opts.ExtraScopes {
 		exec.Args = append(exec.Args, "--oidc-extra-scope="+extraScope)
 	}
-	if opts.UsePKCE {
-		exec.Args = append(exec.Args, "--oidc-use-pkce")
+	if opts.PKCEMethod != "" {
+		exec.Args = append(exec.Args, "--oidc-pkce-method="+string(opts.PKCEMethod))
 	}
 	if opts.ForceRefresh {
 		exec.Args = append(exec.Args, "--force-refresh")
@@ -434,7 +434,7 @@ type CreateOIDCKubeconfigOptions struct {
 	ClientID     string
 	ClientSecret string
 	ExtraScopes  []string
-	UsePKCE      bool
+	PKCEMethod   PKCEMethod
 	ForceRefresh bool
 	GrantType    OIDCGrantType
 }
@@ -449,6 +449,14 @@ const (
 	GrantTypeDeviceCode       OIDCGrantType = "device-code"
 )
 
+type PKCEMethod string
+
+const (
+	PKCEMethodAuto PKCEMethod = "auto"
+	PKCEMethodNo   PKCEMethod = "no"
+	PKCEMethodS256 PKCEMethod = "S256"
+)
+
 type CreateOIDCKubeconfigOption func(*CreateOIDCKubeconfigOptions)
 
 // WithExtraScope is an option for CreateOIDCKubeconfig that adds an extra scope to the oidc-login subcommand.
@@ -459,10 +467,10 @@ func WithExtraScope(scope string) CreateOIDCKubeconfigOption {
 	}
 }
 
-// UsePKCE is an option for CreateOIDCKubeconfig that enforces the use of PKCE.
-func UsePKCE() CreateOIDCKubeconfigOption {
+// WithPKCEMethod is an option for CreateOIDCKubeconfig that sets the PKCE method.
+func WithPKCEMethod(m PKCEMethod) CreateOIDCKubeconfigOption {
 	return func(opts *CreateOIDCKubeconfigOptions) {
-		opts.UsePKCE = true
+		opts.PKCEMethod = m
 	}
 }
 
diff --git a/pkg/clusteraccess/access_test.go b/pkg/clusteraccess/access_test.go
index bf515ce..c77400b 100644
--- a/pkg/clusteraccess/access_test.go
+++ b/pkg/clusteraccess/access_test.go
@@ -495,7 +495,7 @@ var _ = Describe("ClusterAccess", func() {
 			kcfgBytes, err := clusteraccess.CreateOIDCKubeconfig("testuser", "https://api.example.com", []byte("test-ca"), "https://example.com/oidc", "test-client-id",
 				clusteraccess.WithExtraScope("foo"),
 				clusteraccess.WithExtraScope("bar"),
-				clusteraccess.UsePKCE(),
+				clusteraccess.WithPKCEMethod(clusteraccess.PKCEMethodAuto),
 				clusteraccess.ForceRefresh(),
 				clusteraccess.WithClientSecret("test-client-secret"),
 				clusteraccess.WithGrantType(clusteraccess.GrantTypePassword),
@@ -523,7 +523,7 @@ var _ = Describe("ClusterAccess", func() {
 				"--grant-type=password",
 				"--oidc-extra-scope=foo",
 				"--oidc-extra-scope=bar",
-				"--oidc-use-pkce",
+				"--oidc-pkce-method=auto",
 				"--force-refresh",
 			))
 		})