lyric hull
first, thanks for creating and maintaining this software. I'm almost glad i couldn't convince my (wise and wonderful) senior devs to try pocketbase on production. so, i want to be very respectful when bringing this up. im totally new to PHP and learned about OAuth and PKCE two days ago. searching keywords "pkce", "oidc", "zitadel" doesn't seem to return any results in which people have successfully resolved their problem. i also have the option to not use PKCE at all, using the basic code exchange method, but i found this worth playing with.
https://appwrite.io/blog/post/oauth-openid
i suspect that this article is AI generated. appwrite currently has no such support for PKCE[1], outside of etsy, which i don't think works or adheres to the PKCE specification (random string is never hashed - the same random string is used as verification and challenge). it seems to be addressed entirely in an unmerged PR [2].
setting $this->pkce doesn't seem to be persistent across requests. i'm assuming this is something to do with statelessness, or how swoole works. according to the previous implementation of the PKCE flow in Etsy.php, it seems to attempt to generate the code verifier string once, then reuse it for each other request, including the callback.
under section 1 of pkce, the code verifier should be unique between requests
"A unique code verifier is created for every authorization request..."
the current state of my experiments with PKCE - https://github.com/aureateAnatidae/appwrite/blob/main/src/Appwrite/Auth/OAuth2/Oidc.php. i don't want to open up a PR yet, because i haven't gotten it to work with random strings, and i'm not sure how to store the PKCE string. i'm totally unfamiliar with what practices you might prefer (something like redis? mariadb? i'm unfamiliar with redis and haven't looked at how appwrite uses mariadb for auth.)
relevant links:
[1] https://github.com/appwrite/appwrite/issues/3143
[2] https://github.com/appwrite/appwrite/pull/5261/files
little helm