Add enable_pkce config, True by default

oauthenticator/oauth2.py

@@ -119,7 +119,7 @@ def get(self):
 
         state = {"state_id": state_id, "next_url": next_url}
 
-        if self.authenticator.pkce:
+        if self.authenticator.require_pkce:
             # https://datatracker.ietf.org/doc/html/rfc7636#section-4
             code_verifier = secrets.token_urlsafe(43)
             code_challenge = hashlib.sha256(code_verifier.encode("utf-8")).digest()
@@ -680,13 +680,13 @@ def _allowed_scopes_validation(self, proposal):
         """,
     )
 
-    pkce = Bool(
+    require_pkce = Bool(
         False,
         config=True,
         help="""
-        Whether to use PKCE (Proof Key for Code Exchange) for the OAuth2 flow.
-
-        Only the S256 method is supported.
+        Require Proof Key for Code Exchange (PKCE) for OAuth2 authorization code flow
+        
+        Only the S256 code challenge method is supported.
         `RFC 7636 <https://datatracker.ietf.org/doc/html/rfc7636>`.
         """,
     )
@@ -1008,7 +1008,7 @@ def build_access_tokens_request_params(self, handler, data=None):
             "data": data,
         }
 
-        if self.pkce:
+        if self.require_pkce:
             # https://datatracker.ietf.org/doc/html/rfc7636#section-4.5
             cookie_state = handler.get_state_cookie()
             if not cookie_state:

oauthenticator/tests/test_oauth2.py

@@ -210,11 +210,8 @@ async def test_add_user_override(
 
 
 async def test_login_handler_pkce():
-    authenticator = OAuthenticator(pkce=True)
+    authenticator = OAuthenticator(require_pkce=True)
     login_handler = mock_handler(OAuthLoginHandler, authenticator=authenticator)
-
-    login_handler._generate_state_id = Mock(return_value=TEST_STATE_ID)
-    login_handler.set_state_cookie = Mock()
     login_handler.authorize_redirect = Mock()
 
     login_handler.get()  # no await, since authorize_redirect is mocked
@@ -244,7 +241,7 @@ async def test_callback_handler_pkce():
         }
     )
 
-    authenticator = OAuthenticator(pkce=True)
+    authenticator = OAuthenticator(require_pkce=True)
     callback_handler = mock_handler(
         OAuthCallbackHandler,
         uri=callback_request_uri,
@@ -261,44 +258,3 @@ async def test_callback_handler_pkce():
     params = authenticator.build_access_tokens_request_params(callback_handler)
 
     assert params['code_verifier'] == TEST_CODE_VERIFIER
-
-
-async def test_pkce_not_supported(monkeypatch):
-    url_state = _serialize_state({'state_id': TEST_STATE_ID})
-    callback_request_uri = f"http://myhost/callback?code=123&state={url_state}"
-
-    cookie_state = _serialize_state(
-        {
-            'state_id': TEST_STATE_ID,
-            'next_url': TEST_NEXT_URL,
-            'code_verifier': TEST_CODE_VERIFIER,
-        }
-    )
-
-    authenticator = OAuthenticator(pkce=True)
-    callback_handler = mock_handler(
-        OAuthCallbackHandler,
-        uri=callback_request_uri,
-        authenticator=authenticator,
-    )
-
-    # Mock the statsd setting
-    monkeypatch.setitem(callback_handler.settings, 'statsd', Mock())
-    callback_handler.get_secure_cookie = Mock(return_value=cookie_state.encode('utf8'))
-
-    # Mock the token request to return an error indicating PKCE is not supported
-    error_response = {
-        "error": "invalid_request",
-        "error_description": "PKCE not supported",
-    }
-
-    async def mock_httpfetch(*args, **kwargs):
-        return error_response
-
-    authenticator.httpfetch = mock_httpfetch
-
-    with raises(HTTPError) as exc_info:
-        await callback_handler.get()
-
-    assert exc_info.value.status_code == 403
-    assert "An access token was not returned: PKCE not supported" in str(exc_info.value)