From 9877a529557e31d9445b573c0eddac05d786b53e Mon Sep 17 00:00:00 2001
From: "CMF\\e-leite" <EduardoLeite@criticalmanufacturing.com>
Date: Thu, 12 Mar 2026 16:08:37 +0000
Subject: [PATCH] fix: allow OpenID PKCE authentication without client secret

---
 api/server/routes/config.js      |  2 +-
 api/server/socialLogins.js       |  2 +-
 api/strategies/openidStrategy.js | 13 +++++++++----
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/api/server/routes/config.js b/api/server/routes/config.js
index bf60f57e08..9f16d3a14b 100644
--- a/api/server/routes/config.js
+++ b/api/server/routes/config.js
@@ -41,7 +41,7 @@ router.get('/', async function (req, res) {
 
     const isOpenIdEnabled =
       !!process.env.OPENID_CLIENT_ID &&
-      !!process.env.OPENID_CLIENT_SECRET &&
+      (isEnabled(process.env.OPENID_USE_PKCE) || !!process.env.OPENID_CLIENT_SECRET) &&
       !!process.env.OPENID_ISSUER &&
       !!process.env.OPENID_SESSION_SECRET;
 
diff --git a/api/server/socialLogins.js b/api/server/socialLogins.js
index a84c33bd52..d8b364fb95 100644
--- a/api/server/socialLogins.js
+++ b/api/server/socialLogins.js
@@ -73,7 +73,7 @@ const configureSocialLogins = async (app) => {
   }
   if (
     process.env.OPENID_CLIENT_ID &&
-    process.env.OPENID_CLIENT_SECRET &&
+    (isEnabled(process.env.OPENID_USE_PKCE) || process.env.OPENID_CLIENT_SECRET) &&
     process.env.OPENID_ISSUER &&
     process.env.OPENID_SCOPE &&
     process.env.OPENID_SESSION_SECRET
diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
index 7c43358297..5fac335c4a 100644
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@@ -772,18 +772,23 @@ const setupOpenIdAdmin = (openidConfig) => {
  */
 async function setupOpenId() {
   try {
+    const usePKCE = isEnabled(process.env.OPENID_USE_PKCE);
     const shouldGenerateNonce = isEnabled(process.env.OPENID_GENERATE_NONCE);
 
     /** @type {ClientMetadata} */
     const clientMetadata = {
       client_id: process.env.OPENID_CLIENT_ID,
-      client_secret: process.env.OPENID_CLIENT_SECRET,
+      response_types: ['code'],
+      grant_types: ['authorization_code']
     };
 
-    if (shouldGenerateNonce) {
-      clientMetadata.response_types = ['code'];
-      clientMetadata.grant_types = ['authorization_code'];
+    const clientSecret = process.env.OPENID_CLIENT_SECRET?.trim();
+
+    if (clientSecret) {
+      clientMetadata.client_secret = clientSecret;
       clientMetadata.token_endpoint_auth_method = 'client_secret_post';
+    } else if (usePKCE) {
+      clientMetadata.token_endpoint_auth_method = 'none';
     }
 
     /** @type {Configuration} */