From a0357ad227b51b9953a899b298337bcddcbe86dc Mon Sep 17 00:00:00 2001
From: Martin Wurm <git@mart-w.de>
Date: Tue, 12 Mar 2024 03:42:04 +0100
Subject: [PATCH] Add instructions on how to enable PKCE in Nextcloud (#2647)

---
 book/src/integrations/oauth2.md | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/book/src/integrations/oauth2.md b/book/src/integrations/oauth2.md
index f1a02c95e..ac044d1c1 100644
--- a/book/src/integrations/oauth2.md
+++ b/book/src/integrations/oauth2.md
@@ -378,10 +378,14 @@ OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.example.com/oauth2/openid/<oauth2_
 Install the module [from the nextcloud market place](https://apps.nextcloud.com/apps/user_oidc) - it
 can also be found in the Apps section of your deployment as "OpenID Connect user backend".
 
-In Nextcloud's config.php you need to allow connection to remote servers:
+In Nextcloud's config.php you need to allow connection to remote servers and enable PKCE:
 
 ```php
 'allow_local_remote_servers' => true,
+
+'user_oidc' => [
+    'use_pkce' => true,
+],
 ```
 
 You may optionally choose to add:
@@ -397,13 +401,6 @@ If you forget this, you may see the following error in logs:
 Host 172.24.11.129 was not connected to because it violates local access rules
 ```
 
-This module does not support PKCE or ES256. You will need to run:
-
-```bash
-kanidm system oauth2 warning-insecure-client-disable-pkce <resource server name>
-kanidm system oauth2 warning-enable-legacy-crypto <resource server name>
-```
-
 In the settings menu, configure the discovery URL and client ID and secret.
 
 You can choose to disable other login methods with: