mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
6a0c4f5a3d
trying not to violate the principle of least astonishment. we want to only auto-enable PKCE on *new* auth methods, rather than *new or updated* auth methods, to avoid a scenario where a Nomad admin updates an auth method sometime in the future -- something innocent like a new client secret -- and their OIDC provider doesn't like PKCE. the main concern is that the provider won't like PKCE in a totally confusing way. error messages rarely say PKCE directly, so why the user's auth method suddenly broke would be a big mystery. this means that to enable it on existing auth methods, you would set `OIDCDisablePKCE = false`, and the double- negative doesn't feel right, so instead, swap the language, so enabling it on *existing* methods reads sensibly, and to disable it on *new* methods reads ok-enough: `OIDCEnablePKCE = false`