PKCE for Social Sign-in
Ory Identities supports the PKCE (Proof Key for Code Exchange) extension to the OpenID Connect / OAuth 2.0 protocol during social sign-in flows.
In most cases, you don't have to do anything to enable PKCE. If the social sign-in provider advertises support for PKCE, Ory Identities will automatically configure itself to use it.
In the case of the generic OIDC provider, simply specify an Issuer URL in the configuration as usual to perform automatic configuration.
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: generic
provider: generic # or another provider
issuer_url: https://accounts.google.com # must be set to enable automatic configuration
pkce: auto # default: perform PKCE if the provider advertises support for it
# ... other configuration options
Forcing PKCE
There may be OIDC providers which support PKCE but don't advertise it. If you want to force Ory Identities to use PKCE anyway,
configure the provider with the pkce option set to force:
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: generic
provider: generic # or another provider
pkce: force # forces PKCE support, skips automatic configuration
# ... other configuration options
If you set pkce: force, you must whitelist a different redirect URL with the OIDC provider:
Instead of https://<slug>.projects.oryapis.com/self-service/methods/oidc/callback/<provider-id>,
use https://<slug>.projects.oryapis.com/self-service/methods/oidc/callback. Note the missing provider ID and no trailing slash.
Use this second URL also if you force a B2B SSO provider to use PKCE.
Disabling PKCE
If for any reason you want to disable PKCE completely, set pkce to never.
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: generic
provider: generic # or another provider
pkce: never # do not perform PKCE even if the provider advertises support for it.
# ... other configuration options