Skip to content

PKCE support#3492

Open
camohob wants to merge 2 commits into
temporalio:mainfrom
camohob:pkce-support
Open

PKCE support#3492
camohob wants to merge 2 commits into
temporalio:mainfrom
camohob:pkce-support

Conversation

@camohob
Copy link
Copy Markdown

@camohob camohob commented Jun 3, 2026

Description & motivation 💭

Add PKCE (Proof Key for Code Exchange, RFC 7636) support to the OAuth2 authorization code flow, gated behind TEMPORAL_AUTH_PKCE_ENABLED environment variable (default false).

Closes #2519.

PKCE provides protection against authorization code interception attacks. When enabled:

  • A cryptographically random code_verifier is generated and stored in a secure HttpOnly cookie
  • code_challenge_method=S256 and code_challenge are included in the auth redirect URL
  • The code_verifier is sent to the token endpoint during code exchange
  • The IdP verifies the challenge matches the verifier

Disabled by default to maintain backward compatibility — existing deployments are unaffected until they opt in.

Screenshots (if applicable) 📸

N/A

Design Considerations 🎨

  • PKCE is optional (off by default) to avoid breaking existing OAuth2 setups
  • Only S256 challenge method is supported (plain method is not implemented per RFC 7636 guidance)
  • code_verifier cookie cleanup is unconditional even when PKCE is disabled — setting MaxAge=-1 for a non-existent cookie is harmless

Testing 🧪

How was this tested 👻

  • All existing tests pass with pkceEnabled parameter added to function signatures

  • New tests added for PKCE-disabled path in both auth and route packages

  • go build ./... and go vet ./... pass (excluding pre-existing ui/embed.go failure without pre-built UI assets)

  • Manual testing

  • E2E tests added

  • Unit tests added

Steps for others to test: 🚶🏽‍♂️🚶🏽‍♀️

  1. Run existing auth tests: cd server && go test ./auth/... ./route/... -v
  2. Verify PKCE-disabled path: all challenge params (code_challenge_method, code_challenge) must be absent from auth URL, and code_verifier cookie must not be set
  3. Verify PKCE-enabled path: auth URL includes code_challenge_method=S256 and code_challenge, code_verifier cookie is set HttpOnly, token exchange sends code_verifier

Checklists

Draft Checklist

  • Code compiles without errors
  • All tests pass
  • go vet clean
  • AUTHENTICATION.md updated with PKCE documentation

Merge Checklist

  • Code reviewed
  • CI passes on Linux

Issue(s) closed

Closes #2519

Docs

Any docs updates needed?

Yes — AUTHENTICATION.md has been updated with:

  • pkceEnabled field in the Auth Settings table
  • New "PKCE Support" section covering configuration, how it works, and when to enable

@camohob camohob requested a review from a team as a code owner June 3, 2026 08:26
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 3, 2026

Someone is attempting to deploy a commit to the Temporal Team on Vercel.

A member of the Team first needs to authorize it.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Jun 3, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for OAuth PKCE

2 participants

@camohob @CLAassistant