From 30761c9b4c47b0e316af2a3e89c0389e3147816e Mon Sep 17 00:00:00 2001
From: Valentin Gerlach <valentin.gerlach@sap.com>
Date: Mon, 20 Oct 2025 13:33:16 +0200
Subject: [PATCH 1/3] fix: replace deprecated PKCE flag

---
 pkg/clusteraccess/access.go      | 2 +-
 pkg/clusteraccess/access_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/clusteraccess/access.go b/pkg/clusteraccess/access.go
index f24065e..ff73f10 100644
--- a/pkg/clusteraccess/access.go
+++ b/pkg/clusteraccess/access.go
@@ -388,7 +388,7 @@ func createOIDCKubeconfig(opts *CreateOIDCKubeconfigOptions) ([]byte, error) {
 		exec.Args = append(exec.Args, "--oidc-extra-scope="+extraScope)
 	}
 	if opts.UsePKCE {
-		exec.Args = append(exec.Args, "--oidc-use-pkce")
+		exec.Args = append(exec.Args, "--oidc-pkce-method=auto")
 	}
 	if opts.ForceRefresh {
 		exec.Args = append(exec.Args, "--force-refresh")
diff --git a/pkg/clusteraccess/access_test.go b/pkg/clusteraccess/access_test.go
index bf515ce..e298510 100644
--- a/pkg/clusteraccess/access_test.go
+++ b/pkg/clusteraccess/access_test.go
@@ -523,7 +523,7 @@ var _ = Describe("ClusterAccess", func() {
 				"--grant-type=password",
 				"--oidc-extra-scope=foo",
 				"--oidc-extra-scope=bar",
-				"--oidc-use-pkce",
+				"--oidc-pkce-method=auto",
 				"--force-refresh",
 			))
 		})

From f8d3b4a63c45276603991f82148f57bb51ebfef7 Mon Sep 17 00:00:00 2001
From: Valentin Gerlach <valentin.gerlach@sap.com>
Date: Mon, 20 Oct 2025 14:01:56 +0200
Subject: [PATCH 2/3] make PKCE method configurable

---
 pkg/clusteraccess/access.go      | 20 ++++++++++++++------
 pkg/clusteraccess/access_test.go |  2 +-
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/pkg/clusteraccess/access.go b/pkg/clusteraccess/access.go
index ff73f10..62a91a0 100644
--- a/pkg/clusteraccess/access.go
+++ b/pkg/clusteraccess/access.go
@@ -387,8 +387,8 @@ func createOIDCKubeconfig(opts *CreateOIDCKubeconfigOptions) ([]byte, error) {
 	for _, extraScope := range opts.ExtraScopes {
 		exec.Args = append(exec.Args, "--oidc-extra-scope="+extraScope)
 	}
-	if opts.UsePKCE {
-		exec.Args = append(exec.Args, "--oidc-pkce-method=auto")
+	if opts.PKCEMethod != "" {
+		exec.Args = append(exec.Args, "--oidc-pkce-method="+string(opts.PKCEMethod))
 	}
 	if opts.ForceRefresh {
 		exec.Args = append(exec.Args, "--force-refresh")
@@ -434,7 +434,7 @@ type CreateOIDCKubeconfigOptions struct {
 	ClientID     string
 	ClientSecret string
 	ExtraScopes  []string
-	UsePKCE      bool
+	PKCEMethod   PKCEMethod
 	ForceRefresh bool
 	GrantType    OIDCGrantType
 }
@@ -449,6 +449,14 @@ const (
 	GrantTypeDeviceCode       OIDCGrantType = "device-code"
 )
 
+type PKCEMethod string
+
+const (
+	PKCEMethodAuto PKCEMethod = "auto"
+	PKCEMethodNo   PKCEMethod = "no"
+	PKCEMethodS256 PKCEMethod = "S256"
+)
+
 type CreateOIDCKubeconfigOption func(*CreateOIDCKubeconfigOptions)
 
 // WithExtraScope is an option for CreateOIDCKubeconfig that adds an extra scope to the oidc-login subcommand.
@@ -459,10 +467,10 @@ func WithExtraScope(scope string) CreateOIDCKubeconfigOption {
 	}
 }
 
-// UsePKCE is an option for CreateOIDCKubeconfig that enforces the use of PKCE.
-func UsePKCE() CreateOIDCKubeconfigOption {
+// WithPKCEMethod is an option for CreateOIDCKubeconfig that sets PKCE method.
+func WithPKCEMethod(m PKCEMethod) CreateOIDCKubeconfigOption {
 	return func(opts *CreateOIDCKubeconfigOptions) {
-		opts.UsePKCE = true
+		opts.PKCEMethod = m
 	}
 }
 
diff --git a/pkg/clusteraccess/access_test.go b/pkg/clusteraccess/access_test.go
index e298510..c77400b 100644
--- a/pkg/clusteraccess/access_test.go
+++ b/pkg/clusteraccess/access_test.go
@@ -495,7 +495,7 @@ var _ = Describe("ClusterAccess", func() {
 			kcfgBytes, err := clusteraccess.CreateOIDCKubeconfig("testuser", "https://api.example.com", []byte("test-ca"), "https://example.com/oidc", "test-client-id",
 				clusteraccess.WithExtraScope("foo"),
 				clusteraccess.WithExtraScope("bar"),
-				clusteraccess.UsePKCE(),
+				clusteraccess.WithPKCEMethod(clusteraccess.PKCEMethodAuto),
 				clusteraccess.ForceRefresh(),
 				clusteraccess.WithClientSecret("test-client-secret"),
 				clusteraccess.WithGrantType(clusteraccess.GrantTypePassword),

From 6a56e16cec770cbf70a9b6e8f123cab5cfc229cf Mon Sep 17 00:00:00 2001
From: Valentin Gerlach <valentin.gerlach@sap.com>
Date: Mon, 20 Oct 2025 14:57:14 +0200
Subject: [PATCH 3/3] Fix comment for WithPKCEMethod function

---
 pkg/clusteraccess/access.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/clusteraccess/access.go b/pkg/clusteraccess/access.go
index 62a91a0..6e50580 100644
--- a/pkg/clusteraccess/access.go
+++ b/pkg/clusteraccess/access.go
@@ -467,7 +467,7 @@ func WithExtraScope(scope string) CreateOIDCKubeconfigOption {
 	}
 }
 
-// WithPKCEMethod is an option for CreateOIDCKubeconfig that sets PKCE method.
+// WithPKCEMethod is an option for CreateOIDCKubeconfig that sets the PKCE method.
 func WithPKCEMethod(m PKCEMethod) CreateOIDCKubeconfigOption {
 	return func(opts *CreateOIDCKubeconfigOptions) {
 		opts.PKCEMethod = m