Merge pull request #13757 from Security-Onion-Solutions/jertel/wip

adjustments for support of PKCE OIDC

salt/kratos/defaults.yaml

@@ -6,6 +6,7 @@ kratos:
       id: SSO
       mapper_url: file:///kratos-conf/oidc.jsonnet
       subject_source: userinfo
+      pkce: auto
       scope:
         - email
         - profile

salt/kratos/soc_kratos.yaml

@@ -70,6 +70,11 @@ kratos:
         global: True
         forcedType: "[]string"
         helpLink: oidc.html
+      pkce:
+        description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported.
+        global: True
+        forcedType: string
+        helpLink: oidc.html
       requested_claims: 
         id_token:
           email:

salt/nginx/etc/nginx.conf

@@ -193,7 +193,7 @@ http {
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}
 
-		location ~ ^/auth/.*?(login|oidc/callback/) {
+		location ~ ^/auth/.*?(login|oidc/callback) {
 			rewrite               /auth/(.*) /$1 break;
 			limit_req             zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay;
 			limit_req_status      429;