From 444d45ba50c850cd94cbcd8c95df8a8f24272764 Mon Sep 17 00:00:00 2001
From: Ryan Johnson <rjohnson@mozilla.com>
Date: Fri, 22 Dec 2023 15:04:11 -0800
Subject: [PATCH] disable PKCE by default

---
 docs/settings.rst            | 3 +--
 mozilla_django_oidc/views.py | 3 +--
 tests/test_views.py          | 4 ++++
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index b0aa7e09..eee208fb 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -281,7 +281,7 @@ of ``mozilla-django-oidc``.
 
 .. py:attribute:: OIDC_USE_PKCE
 
-   :default: ``True``
+   :default: ``False``
 
    Controls whether the authentication backend uses PKCE (Proof Key For Code Exchange) during the authorization code flow.
 
@@ -324,4 +324,3 @@ of ``mozilla-django-oidc``.
    .. seealso::
 
       https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
-
diff --git a/mozilla_django_oidc/views.py b/mozilla_django_oidc/views.py
index b9e6a666..0f05b8b2 100644
--- a/mozilla_django_oidc/views.py
+++ b/mozilla_django_oidc/views.py
@@ -88,7 +88,6 @@ def get(self, request):
                 auth.logout(request)
             assert not request.user.is_authenticated
         elif "code" in request.GET and "state" in request.GET:
-
             # Check instead of "oidc_state" check if the "oidc_states" session key exists!
             if "oidc_states" not in request.session:
                 return self.login_failure()
@@ -197,7 +196,7 @@ def get(self, request):
             nonce = get_random_string(self.get_settings("OIDC_NONCE_SIZE", 32))
             params.update({"nonce": nonce})
 
-        if self.get_settings("OIDC_USE_PKCE", True):
+        if self.get_settings("OIDC_USE_PKCE", False):
             code_verifier_length = self.get_settings("OIDC_PKCE_CODE_VERIFIER_SIZE", 64)
             # Check that code_verifier_length is between the min and max length
             # defined in https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
diff --git a/tests/test_views.py b/tests/test_views.py
index d850254d..b77b9feb 100644
--- a/tests/test_views.py
+++ b/tests/test_views.py
@@ -477,6 +477,7 @@ def setUp(self):
 
     @override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
     @override_settings(OIDC_RP_CLIENT_ID="example_id")
+    @override_settings(OIDC_USE_PKCE=True)
     @patch("mozilla_django_oidc.views.get_random_string")
     def test_get(self, mock_views_random):
         """Test initiation of a successful OIDC attempt."""
@@ -588,6 +589,7 @@ def test_get_invalid_code_verifier_size_too_long(self, mock_views_random):
     @override_settings(ROOT_URLCONF="tests.namespaced_urls")
     @override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
     @override_settings(OIDC_RP_CLIENT_ID="example_id")
+    @override_settings(OIDC_USE_PKCE=True)
     @override_settings(
         OIDC_AUTHENTICATION_CALLBACK_URL="namespace:oidc_authentication_callback"
     )
@@ -629,6 +631,7 @@ def test_get_namespaced(self, mock_views_random):
 
     @override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
     @override_settings(OIDC_RP_CLIENT_ID="example_id")
+    @override_settings(OIDC_USE_PKCE=True)
     @override_settings(
         OIDC_AUTH_REQUEST_EXTRA_PARAMS={"audience": "some-api.example.com"}
     )
@@ -671,6 +674,7 @@ def test_get_with_audience(self, mock_views_random):
 
     @override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
     @override_settings(OIDC_RP_CLIENT_ID="example_id")
+    @override_settings(OIDC_USE_PKCE=True)
     @patch("mozilla_django_oidc.views.get_random_string")
     @patch("mozilla_django_oidc.views.OIDCAuthenticationRequestView.get_extra_params")
     def test_get_with_overridden_extra_params(