From dde910e2ac989b506b4df34d9009e6c34e3ebfb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ga=C3=ABl=20Utard?= <gael.utard@eedf.fr>
Date: Mon, 13 Nov 2023 13:30:16 +0100
Subject: [PATCH] Add code_challenge_methods_supported property to OIDC auto
 discovery

Fix #1249
---
 AUTHORS                       | 1 +
 CHANGELOG.md                  | 1 +
 oauth2_provider/views/oidc.py | 2 ++
 tests/test_oidc_views.py      | 3 +++
 4 files changed, 7 insertions(+)

diff --git a/AUTHORS b/AUTHORS
index 84fc2a7aa..689ab48de 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -52,6 +52,7 @@ Egor Poderiagin
 Emanuele Palazzetti
 Federico Dolce
 Frederico Vieira
+Gaël Utard
 Hasan Ramezani
 Hiroki Kiyohara
 Hossein Shakiba
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a7185824..dfc9dedfd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
+* #1249 Add code_challenge_methods_supported property to auto discovery informations
 
 ### Fixed
 * #1322 Instructions in documentation on how to create a code challenge and code verifier
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
index 26bc977f2..584b0c895 100644
--- a/oauth2_provider/views/oidc.py
+++ b/oauth2_provider/views/oidc.py
@@ -26,6 +26,7 @@
 from ..forms import ConfirmLogoutForm
 from ..http import OAuth2ResponseRedirect
 from ..models import (
+    AbstractGrant,
     get_access_token_model,
     get_application_model,
     get_id_token_model,
@@ -96,6 +97,7 @@ def get(self, request, *args, **kwargs):
             "token_endpoint_auth_methods_supported": (
                 oauth2_settings.OIDC_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED
             ),
+            "code_challenge_methods_supported": [key for key, _ in AbstractGrant.CODE_CHALLENGE_METHODS],
             "claims_supported": oidc_claims,
         }
         if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
index 98939e02d..77a047cbb 100644
--- a/tests/test_oidc_views.py
+++ b/tests/test_oidc_views.py
@@ -48,6 +48,7 @@ def test_get_connect_discovery_info(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
         response = self.client.get("/o/.well-known/openid-configuration")
@@ -100,6 +101,7 @@ def expect_json_response_with_rp_logout(self, base):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
             "end_session_endpoint": f"{base}/logout/",
         }
@@ -133,6 +135,7 @@ def test_get_connect_discovery_info_without_issuer_url(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
         response = self.client.get(reverse("oauth2_provider:oidc-connect-discovery-info"))