auth: oidc: disable pkce by default (#25600)

our goal of "enable by default, only for new auth methods" proved to be unwieldy, so instead make it a simple bool, disabled by default.
2026-01-01 16:05:42 +03:00 · 2025-04-07 13:36:09 -04:00
parent 6c39285538
commit 5c8e436de9
8 changed files with 18 additions and 71 deletions
--- a/internal/testing/apitests/acl_test.go
+++ b/internal/testing/apitests/acl_test.go
@@ -11,7 +11,6 @@ import (
 	capOIDC "github.com/hashicorp/cap/oidc"
 	"github.com/hashicorp/nomad/api"
 	"github.com/hashicorp/nomad/ci"
-	"github.com/hashicorp/nomad/helper/pointer"
 	"github.com/shoenig/test/must"
 )

@@ -95,12 +94,10 @@ func TestACLOIDC_CompleteAuth(t *testing.T) {
 		MaxTokenTTL:   10 * time.Hour,
 		Default:       true,
 		Config: &api.ACLAuthMethodConfig{
-			OIDCDiscoveryURL: oidcTestProvider.Addr(),
-			OIDCClientID:     "mock",
-			OIDCClientSecret: "verysecretsecret",
-			// PKCE is hard to test at this level, because the verifier only
-			// exists on the server. this functionality is covered elsewhere.
-			OIDCEnablePKCE:      pointer.Of(false),
+			OIDCDiscoveryURL:    oidcTestProvider.Addr(),
+			OIDCClientID:        "mock",
+			OIDCClientSecret:    "verysecretsecret",
+			OIDCEnablePKCE:      false,
 			OIDCDisableUserInfo: false,
 			BoundAudiences:      []string{"mock"},
 			AllowedRedirectURIs: []string{"http://127.0.0.1:4649/oidc/callback"},