From d25c43399c25f31e8e16823eaa00c4ec9a16b7a3 Mon Sep 17 00:00:00 2001
From: Carlos Becker <carlos.becker@invision.ai>
Date: Thu, 12 Sep 2024 10:21:41 +0200
Subject: [PATCH] OAuth2: allow for 'None' auth method to enable pkce code
 challenge

---
 .../oauth2/HybridClientRegistrationRepository.java   | 12 ++++++++++--
 ui-ngx/src/app/shared/models/oauth2.models.ts        |  1 +
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/dao/src/main/java/org/thingsboard/server/dao/oauth2/HybridClientRegistrationRepository.java b/dao/src/main/java/org/thingsboard/server/dao/oauth2/HybridClientRegistrationRepository.java
index c23ab1e3d2..126ee060dd 100644
--- a/dao/src/main/java/org/thingsboard/server/dao/oauth2/HybridClientRegistrationRepository.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/oauth2/HybridClientRegistrationRepository.java
@@ -43,6 +43,15 @@ public class HybridClientRegistrationRepository implements ClientRegistrationRep
 
     private ClientRegistration toSpringClientRegistration(OAuth2Client oAuth2Client){
         String registrationId = oAuth2Client.getUuidId().toString();
+
+        // NONE is used if we need pkce-based code challenge
+        ClientAuthenticationMethod authMethod = ClientAuthenticationMethod.NONE;
+        if (oAuth2Client.getClientAuthenticationMethod().equals("POST")) {
+            authMethod = ClientAuthenticationMethod.CLIENT_SECRET_POST;
+        } else if (oAuth2Client.getClientAuthenticationMethod().equals("BASIC")) {
+            authMethod = ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
+        }
+
         return ClientRegistration.withRegistrationId(registrationId)
                 .clientName(oAuth2Client.getName())
                 .clientId(oAuth2Client.getClientId())
@@ -54,8 +63,7 @@ public class HybridClientRegistrationRepository implements ClientRegistrationRep
                 .userInfoUri(oAuth2Client.getUserInfoUri())
                 .userNameAttributeName(oAuth2Client.getUserNameAttributeName())
                 .jwkSetUri(oAuth2Client.getJwkSetUri())
-                .clientAuthenticationMethod(oAuth2Client.getClientAuthenticationMethod().equals("POST") ?
-                        ClientAuthenticationMethod.CLIENT_SECRET_POST : ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(authMethod)
                 .redirectUri(defaultRedirectUriTemplate)
                 .build();
     }
diff --git a/ui-ngx/src/app/shared/models/oauth2.models.ts b/ui-ngx/src/app/shared/models/oauth2.models.ts
index dd024715d5..bb2de147ad 100644
--- a/ui-ngx/src/app/shared/models/oauth2.models.ts
+++ b/ui-ngx/src/app/shared/models/oauth2.models.ts
@@ -69,6 +69,7 @@ export interface OAuth2RegistrationInfo {
 }
 
 export enum ClientAuthenticationMethod {
+  NONE = 'NONE',
   BASIC = 'BASIC',
   POST = 'POST'
 }