From a7addfece8e70f930a90ddac23bbb8589002e505 Mon Sep 17 00:00:00 2001
From: uphillcheddar <anthony@thesimentals.com>
Date: Mon, 15 Sep 2025 23:48:33 -0400
Subject: [PATCH] fix(oauth): omit blank pkce from url when not supported
 (#21976)

* fix(oauth): omit blank pkce from url when now pkce

* fix(oauth): use spread operator for pkce params

* chore: use first method

---------

Co-authored-by: Your Name <you@example.com>
Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>
---
 server/src/repositories/oauth.repository.ts | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/server/src/repositories/oauth.repository.ts b/server/src/repositories/oauth.repository.ts
index 9a436e4b9a..58b1144647 100644
--- a/server/src/repositories/oauth.repository.ts
+++ b/server/src/repositories/oauth.repository.ts
@@ -29,6 +29,7 @@ export class OAuthRepository {
     );
     const client = await this.getClient(config);
     state ??= randomState();
+
     let codeVerifier: string | null;
     if (codeChallenge) {
       codeVerifier = null;
@@ -36,13 +37,20 @@ export class OAuthRepository {
       codeVerifier = randomPKCECodeVerifier();
       codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
     }
-    const url = buildAuthorizationUrl(client, {
+
+    const params: Record<string, string> = {
       redirect_uri: redirectUrl,
       scope: config.scope,
       state,
-      code_challenge: client.serverMetadata().supportsPKCE() ? codeChallenge : '',
-      code_challenge_method: client.serverMetadata().supportsPKCE() ? 'S256' : '',
-    }).toString();
+    };
+
+    if (client.serverMetadata().supportsPKCE()) {
+      params.code_challenge = codeChallenge;
+      params.code_challenge_method = 'S256';
+    }
+
+    const url = buildAuthorizationUrl(client, params).toString();
+
     return { url, state, codeVerifier };
   }