Adds OIDC configuration fields, release notes, etc (quay#1477)

stevsmit · Steven Smith · web-flow · commit 153b2b358a13 · 2025-11-13T09:11:16.000-05:00
Co-authored-by: Steven Smith &lt;stevsmit@stevsmit-thinkpadt14gen4.remote.csb&gt;
diff --git a/modules/configuring-oidc-authentication.adoc b/modules/configuring-oidc-authentication.adoc
@@ -40,6 +40,9 @@ AZURE_LOGIN_CONFIG: <1>
     OIDC_SERVER: <oidc_server_address_> <4>
     SERVICE_NAME: Microsoft Entra ID <5>
     VERIFIED_EMAIL_CLAIM_NAME: <verified_email> <6>
+    USE_PKCE: True <7>
+    PKCE_METHOD: "S256" <8>
+    PUBLIC_CLIENT: True <9>
 # ...
 ----
 <1> The parent key that holds the OIDC configuration settings. In this example, the parent key used is `AZURE_LOGIN_CONFIG`, however, the string `AZURE` can be replaced with any arbitrary string based on your specific needs, for example `ABC123`.However, the following strings are not accepted: `GOOGLE`, `GITHUB`. These strings are reserved for their respective identity platforms and require a specific `config.yaml` entry contingent upon when platform you are using.
@@ -48,6 +51,9 @@ AZURE_LOGIN_CONFIG: <1>
 <4> The address of the OIDC server that is being used for authentication. In this example, you must use `sts.windows.net` as the issuer identifier. Using `https://login.microsoftonline.com` results in the following error: `Could not create provider for AzureAD. Error: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/73f2e714-xxxx-xxxx-xxxx-dffe1df8a5d5" got "https://sts.windows.net/73f2e714-xxxx-xxxx-xxxx-dffe1df8a5d5/"`. 
 <5> The name of the service that is being authenticated.
 <6> The name of the claim that is used to verify the email address of the user.
+<7> Specifies whether to enable Proof Key for Code Exchange (PKCE) for OIDC authentication. Defaults to `False`.
+<8> Specifies the  code challenge method used to generate the `code_challenge` sent in the initial authorization request. Defaults to `S256`.
+<9> Specifies whether to omit `client_secret` during token request when the client is public. Defaults to `False`.
 
 . Proper configuration of Microsoft Entra ID results three redirects with the following format:
 +
diff --git a/modules/new-features-and-enhancements-316.adoc b/modules/new-features-and-enhancements-316.adoc
@@ -31,4 +31,13 @@ The following information can be viewed from the *Superuser* panel:
 * Messages
 * Build logs
 
-This panel is nearly equivalent to the *Superuser Admin Panel* on the v1 UI with one exception: {productname} superusers now create new users from the *Organizations* page of the v2 UI.
+This panel is nearly equivalent to the *Superuser Admin Panel* on the v1 UI with one exception: {productname} superusers now create new users from the *Organizations* page of the v2 UI.
+
+[id="pkce-integration-support"]
+== Proof Key for Code Exchange support for OIDC authentication
+
+Previously, {productname} could not authenticate with Proof Key for Code Exchange (PKCE) providers, such as Azure AD or Okta. This led to a loss of service for affected customers. 
+
+With this release, PKCE is now supported for OpenID Connect (OIDC) authentication. {productname} administrators can enable PKCE on a per-OIDC provider basis in their `config.yaml` file.
+
+For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html-single/manage_red_hat_quay/index#configuring-oidc-authentication[Configuring OIDC for {productname}].
diff --git a/modules/new-quay-config-fields-316.adoc b/modules/new-quay-config-fields-316.adoc
@@ -61,6 +61,21 @@ The following configuration fields are available to completely disable the legac
 
 |===
 
+[id="enabling-pkce-oidc-auth"]
+== Enabling PKCE for OIDC authentication
 
+With this release, Proof Key for Code Exchange (PKCE) is now supported for OpenID Connect (OIDC) authentication. {productname} administrators can enable PKCE with the following configuration fields.
 
+.PKCE configuration fields
+[cols="3a,1a,2a",options="header"]
+|===
+| Field | Type | Description
+
+| *USE_PKCE* | Boolean | Whether to enable support for Proof Key for Code Exchange. Defaults to `False`.
+
+|*PKCE_METHOD* |Integer | The the code challenge method used to generate the `code_challenge` sent in the initial authorization request. Defaults to `S256`.
+
+|*PUBLIC_CLIENT* |Boolean | Whether to omit `client_secret` during token request when the client is public. Defaults to `False`.
+|===
 
+For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html-single/manage_red_hat_quay/index#configuring-oidc-authentication[Configuring OIDC for {productname}].
diff --git a/modules/oidc-config-fields.adoc b/modules/oidc-config-fields.adoc
@@ -48,6 +48,18 @@ You can configure {productname} to authenticate users through any OpenID Connect
 | **{nbsp}{nbsp}{nbsp}.OIDC_DISABLE_USER_ENDPOINT** | Boolean | Whether to allow or disable the `/userinfo` endpoint. If using Azure Entra ID, this field must be set to `True` because Azure obtains the user's information from the token instead of calling the `/userinfo` endpoint. +
  +
  **Default:** `False`
+
+| *USE_PKCE* | Boolean | Whether to enable support for Proof Key for Code Exchange. +
+ +
+ **Default:** `False`
+
+|*PKCE_METHOD* |Integer | The the code challenge method used to generate the `code_challenge` sent in the initial authorization request. +
+ +
+ **Default:** `S256`
+
+|*PUBLIC_CLIENT* |Boolean | Whether to omit `client_secret` during token request when the client is public. +
+ +
+ **Default:** `False`
 |===
 
 .OIDC example YAML
@@ -78,5 +90,8 @@ AUTHENTICATION_TYPE: OIDC
   VERIFIED_EMAIL_CLAIM_NAME: <verified_email_claim>
   PREFERRED_GROUP_CLAIM_NAME: <preferred_group_claim>
   OIDC_DISABLE_USER_ENDPOINT: true
+  USE_PKCE: True
+  PKCE_METHOD: "S256"
+  PUBLIC_CLIENT: True
 # ...
 ----
