Skip to content
Init is coming / May 19 - 23
Register now
Start building
Star on GitHub
48K
 Start building
Back

PKCE, Etsy, OIDC, External OAuth provider

  • 0
  • Self Hosted
  • Auth
  • Web
View on Discord
aureateAnatidae
14 May, 2025, 20:23

first, thanks for creating and maintaining this software. I'm almost glad i couldn't convince my (wise and wonderful) senior devs to try pocketbase on production. so, i want to be very respectful when bringing this up. im totally new to PHP and learned about OAuth and PKCE two days ago. searching keywords "pkce", "oidc", "zitadel" doesn't seem to return any results in which people have successfully resolved their problem. i also have the option to not use PKCE at all, using the basic code exchange method, but i found this worth playing with.

https://appwrite.io/blog/post/oauth-openid i suspect that this article is AI generated. appwrite currently has no such support for PKCE[1], outside of etsy, which i don't think works or adheres to the PKCE specification (random string is never hashed - the same random string is used as verification and challenge). it seems to be addressed entirely in an unmerged PR [2].

setting $this->pkce doesn't seem to be persistent across requests. i'm assuming this is something to do with statelessness, or how swoole works. according to the previous implementation of the PKCE flow in Etsy.php, it seems to attempt to generate the code verifier string once, then reuse it for each other request, including the callback.

under section 1 of pkce, the code verifier should be unique between requests

"A unique code verifier is created for every authorization request..."

the current state of my experiments with PKCE - https://github.com/aureateAnatidae/appwrite/blob/main/src/Appwrite/Auth/OAuth2/Oidc.php. i don't want to open up a PR yet, because i haven't gotten it to work with random strings, and i'm not sure how to store the PKCE string. i'm totally unfamiliar with what practices you might prefer (something like redis? mariadb? i'm unfamiliar with redis and haven't looked at how appwrite uses mariadb for auth.)

relevant links: [1] https://github.com/appwrite/appwrite/issues/3143 [2] https://github.com/appwrite/appwrite/pull/5261/files

TL;DR
Developers are discussing PKCE use with Appwrite, OAuth, and OIDC. PKCE typically used in mobile/web apps, but Appwrite backends use the auth code flow. PKCE support in Appwrite is limited, with an unmerged PR addressing the issue. State persistence issue and code verifier uniqueness problems encountered. Experiment ongoing, looking into storage solutions. Relevant links provided for further context.
Steven
14 May, 2025, 20:27

PKCE is typically used in mobile and web apps when talking directly to the oauth2 provider. Appwrite is the backend that handles the oauth2 so the auth code flow is used rather than PKCE

aureateAnatidae
14 May, 2025, 20:29

thanks - i'm relieved to know that i'm overcomplicating things a little

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more