Authorization code without PKCE ?

[riaadh]

Hello, We are trying to connect Microsoft power pages to duende identity server. From their documentation they only support this flows : https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider

Implicit grant
This flow is the default authentication method for Power Pages sites.
Authorization code
Power Pages uses the client_secret_post method to communicate with the identity server's token endpoint.
The private_key_jwt method to authenticate with the token endpoint isn't supported.
Hybrid (restricted support)
Power Pages requires id_token to be present in the response, so response_type = code token isn't supported.
The hybrid flow in Power Pages follows the same flow as implicit grant, and uses id_token to directly sign in users.
Proof Key for Code Exchange (PKCE)
PKCE–based techniques to authenticate users aren't supported.

So my question is it possible in identity server to use the Authorisation code without PKCE? or can you recommand me a flow compatible both Identity server and the power pages supported flows.

Thank you for your help.

[StuFrankish]

Hi @riaadh,

Yes, it's possible to use authorization code flow without PKCE enabled. In your client entity configuration (in Identity Server) you'll want to set the RequirePkce property to false.

PKCE may still be used if your client application is configured to use it, even if RequirePkce is false.

[AndersAbel]

It looks like Power Pages only use OpenID Connect to sign in and not to receive or use any access tokens. In that case you might as well use the implicit flow and not use the code flow at all.

The implicit flow requires a nonce. For a web application that does not access APIs, that will (as far as I remember) provide the same protection as PKCE does for the code flow.