PKCE

[teohhanhui]

I'd like to add support for PKCE, specifically:

1. Allow passing optional code_challenge to auth_url.
2. Allow passing optional code_verifier to request_token.

(1) is not a strictly necessary change, as we can just add code_challenge and code_challenge_method to the Url returned from auth_url.

(2) is however a required change, as I don't see an existing way to append code_verifier to the request body sent in request_token.

https://datatracker.ietf.org/doc/html/rfc7636

[teohhanhui]

The draft OAuth 2.1 spec requires the use of PKCE:

Clients MUST use code_challenge and code_verifier and authorization
servers MUST enforce their use except under the conditions described
in Section 7.5.1. In this case, using and enforcing code_challenge
and code_verifier as described in the following is still RECOMMENDED.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-4.1.1

[kilork]

Yeap, this is also on my list:

[teohhanhui]

@kilork Would it be okay if I work on a PR?

[kilork]

@teohhanhui It is open source, we always expect contributions, you are welcome. Having some implementation is better than no implementation, after this we can decide on details, how to better fit into project, to not break already existing user base.