GCP PKCE flow without `code_challenge` ?

[arichtman-srt]

Hi - thanks for this handy tool!

I'm trying to get a token response from GCP's Oauth - so not specifying the client secret.
There doesn't seem to be an option for setting response_type parameter, but I was able to work around that with -custom.

The issue I'm facing now is I can't see a way to remove the code challenge from the initial redirect, so then GCP complains.

Error: Parameter not allowed for this message type: code_challenge_method

Command:

./oidc-cli -verbose authorization_code \
-issuer https://accounts.google.com \
-client-id $CLIENT_ID \
-pkce \
-custom response_type=token

GCP documentation

[jentz]

oidc-cli does not currently support the implicit flow, which is the source of your issue.

I was unaware that it still had such widespread use, but since Google supports it, it fits the intention of this tool: to provide users with a command-line-driven way to work with OIDC and OAuth2 APIs.

Thanks for creating the issue, I will look into how to add this support.

[jentz]

In the meantime, I confirmed that the authorization_code flow works with Google, but it requires the client secret.

oidc-cli -verbose authorization_code \
--issuer https://accounts.google.com \
-client-id $CLIENT_ID \
-client-secret $CLIENT_SECRET \
-pkce

[arichtman-srt]

I've been doing some more research and it seems Oauth2.1 all but insists on adding the PKCE code_challenge to even client credentials flow to avoid token hijacking. I'm not sure how this sits with the Google Oauth application implementation though.

Thanks for your time!