feat!: replace deprecated PKCE flag (#168)

ValentinGerlach · web-flow · commit 59471d48a34e · 2025-10-20T20:57:41.000+02:00
* fix: replace deprecated PKCE flag

* make PKCE method configurable

* Fix comment for WithPKCEMethod function
diff --git a/pkg/clusteraccess/access.go b/pkg/clusteraccess/access.go
@@ -387,8 +387,8 @@ func createOIDCKubeconfig(opts *CreateOIDCKubeconfigOptions) ([]byte, error) {
 	for _, extraScope := range opts.ExtraScopes {
 		exec.Args = append(exec.Args, "--oidc-extra-scope="+extraScope)
 	}
-	if opts.UsePKCE {
-		exec.Args = append(exec.Args, "--oidc-use-pkce")
+	if opts.PKCEMethod != "" {
+		exec.Args = append(exec.Args, "--oidc-pkce-method="+string(opts.PKCEMethod))
 	}
 	if opts.ForceRefresh {
 		exec.Args = append(exec.Args, "--force-refresh")
@@ -434,7 +434,7 @@ type CreateOIDCKubeconfigOptions struct {
 	ClientID     string
 	ClientSecret string
 	ExtraScopes  []string
-	UsePKCE      bool
+	PKCEMethod   PKCEMethod
 	ForceRefresh bool
 	GrantType    OIDCGrantType
 }
@@ -449,6 +449,14 @@ const (
 	GrantTypeDeviceCode       OIDCGrantType = "device-code"
 )
 
+type PKCEMethod string
+
+const (
+	PKCEMethodAuto PKCEMethod = "auto"
+	PKCEMethodNo   PKCEMethod = "no"
+	PKCEMethodS256 PKCEMethod = "S256"
+)
+
 type CreateOIDCKubeconfigOption func(*CreateOIDCKubeconfigOptions)
 
 // WithExtraScope is an option for CreateOIDCKubeconfig that adds an extra scope to the oidc-login subcommand.
@@ -459,10 +467,10 @@ func WithExtraScope(scope string) CreateOIDCKubeconfigOption {
 	}
 }
 
-// UsePKCE is an option for CreateOIDCKubeconfig that enforces the use of PKCE.
-func UsePKCE() CreateOIDCKubeconfigOption {
+// WithPKCEMethod is an option for CreateOIDCKubeconfig that sets the PKCE method.
+func WithPKCEMethod(m PKCEMethod) CreateOIDCKubeconfigOption {
 	return func(opts *CreateOIDCKubeconfigOptions) {
-		opts.UsePKCE = true
+		opts.PKCEMethod = m
 	}
 }
 
diff --git a/pkg/clusteraccess/access_test.go b/pkg/clusteraccess/access_test.go
@@ -495,7 +495,7 @@ var _ = Describe("ClusterAccess", func() {
 			kcfgBytes, err := clusteraccess.CreateOIDCKubeconfig("testuser", "https://api.example.com", []byte("test-ca"), "https://example.com/oidc", "test-client-id",
 				clusteraccess.WithExtraScope("foo"),
 				clusteraccess.WithExtraScope("bar"),
-				clusteraccess.UsePKCE(),
+				clusteraccess.WithPKCEMethod(clusteraccess.PKCEMethodAuto),
 				clusteraccess.ForceRefresh(),
 				clusteraccess.WithClientSecret("test-client-secret"),
 				clusteraccess.WithGrantType(clusteraccess.GrantTypePassword),
@@ -523,7 +523,7 @@ var _ = Describe("ClusterAccess", func() {
 				"--grant-type=password",
 				"--oidc-extra-scope=foo",
 				"--oidc-extra-scope=bar",
-				"--oidc-use-pkce",
+				"--oidc-pkce-method=auto",
 				"--force-refresh",
 			))
 		})

Original file line number	Diff line number	Diff line change
`@@ -387,8 +387,8 @@ func createOIDCKubeconfig(opts *CreateOIDCKubeconfigOptions) ([]byte, error) {`
`387`	`387`	`for _, extraScope := range opts.ExtraScopes {`
`388`	`388`	`exec.Args = append(exec.Args, "--oidc-extra-scope="+extraScope)`
`389`	`389`	`}`
`390`		`- if opts.UsePKCE {`
`391`		`- exec.Args = append(exec.Args, "--oidc-use-pkce")`
	`390`	`+ if opts.PKCEMethod != "" {`
	`391`	`+ exec.Args = append(exec.Args, "--oidc-pkce-method="+string(opts.PKCEMethod))`
`392`	`392`	`}`
`393`	`393`	`if opts.ForceRefresh {`
`394`	`394`	`exec.Args = append(exec.Args, "--force-refresh")`
`@@ -434,7 +434,7 @@ type CreateOIDCKubeconfigOptions struct {`
`434`	`434`	`ClientID string`
`435`	`435`	`ClientSecret string`
`436`	`436`	`ExtraScopes []string`
`437`		`- UsePKCE bool`
	`437`	`+ PKCEMethod PKCEMethod`
`438`	`438`	`ForceRefresh bool`
`439`	`439`	`GrantType OIDCGrantType`
`440`	`440`	`}`
`@@ -449,6 +449,14 @@ const (`
`449`	`449`	`GrantTypeDeviceCode OIDCGrantType = "device-code"`
`450`	`450`	`)`
`451`	`451`
	`452`	`+type PKCEMethod string`
	`453`	`+`
	`454`	`+const (`
	`455`	`+ PKCEMethodAuto PKCEMethod = "auto"`
	`456`	`+ PKCEMethodNo PKCEMethod = "no"`
	`457`	`+ PKCEMethodS256 PKCEMethod = "S256"`
	`458`	`+)`
	`459`	`+`
`452`	`460`	`type CreateOIDCKubeconfigOption func(*CreateOIDCKubeconfigOptions)`
`453`	`461`
`454`	`462`	`// WithExtraScope is an option for CreateOIDCKubeconfig that adds an extra scope to the oidc-login subcommand.`
`@@ -459,10 +467,10 @@ func WithExtraScope(scope string) CreateOIDCKubeconfigOption {`
`459`	`467`	`}`
`460`	`468`	`}`
`461`	`469`
`462`		`-// UsePKCE is an option for CreateOIDCKubeconfig that enforces the use of PKCE.`
`463`		`-func UsePKCE() CreateOIDCKubeconfigOption {`
	`470`	`+// WithPKCEMethod is an option for CreateOIDCKubeconfig that sets the PKCE method.`
	`471`	`+func WithPKCEMethod(m PKCEMethod) CreateOIDCKubeconfigOption {`
`464`	`472`	`return func(opts *CreateOIDCKubeconfigOptions) {`
`465`		`- opts.UsePKCE = true`
	`473`	`+ opts.PKCEMethod = m`
`466`	`474`	`}`
`467`	`475`	`}`
`468`	`476`