feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373)

# Which Problems Are Solved

Some OAuth2 and OIDC providers require the use of PKCE for all their
clients. While ZITADEL already recommended the same for its clients, it
did not yet support the option on the IdP configuration.

# How the Problems Are Solved

- A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC
endpoints.
- A new checkbox is added to the generic OAuth and OIDC provider
templates.
- The `rp.WithPKCE` option is added to the provider if the use of PKCE
has been set.
- The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added
to the OIDC/Auth BeginAuth and CodeExchange function.
- Store verifier or any other persistent argument in the intent or auth
request.
- Create corresponding session object before creating the intent, to be
able to store the information.
- (refactored session structs to use a constructor for unified creation
and better overview of actual usage)

Here's a screenshot showing the URI including the PKCE params:


![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169)

# Additional Changes

None.

# Additional Context

- Closes #6449
- This PR replaces the existing PR (#8228) of @doncicuto. The base he
did was cherry picked. Thank you very much for that!

---------

Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

cmd/setup/50.go

@@ -0,0 +1,27 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+var (
+	//go:embed 50.sql
+	addUsePKCE string
+)
+
+type IDPTemplate6UsePKCE struct {
+	dbClient *database.DB
+}
+
+func (mig *IDPTemplate6UsePKCE) Execute(ctx context.Context, _ eventstore.Event) error {
+	_, err := mig.dbClient.ExecContext(ctx, addUsePKCE)
+	return err
+}
+
+func (mig *IDPTemplate6UsePKCE) String() string {
+	return "50_idp_templates6_add_use_pkce"
+}

cmd/setup/50.sql

@@ -0,0 +1,2 @@
+ALTER TABLE IF EXISTS projections.idp_templates6_oauth2 ADD COLUMN IF NOT EXISTS use_pkce BOOLEAN;
+ALTER TABLE IF EXISTS projections.idp_templates6_oidc ADD COLUMN IF NOT EXISTS use_pkce BOOLEAN;

cmd/setup/config.go

@@ -138,6 +138,7 @@ type Steps struct {
 	s47FillMembershipFields                 *FillMembershipFields
 	s48Apps7SAMLConfigsLoginVersion         *Apps7SAMLConfigsLoginVersion
 	s49InitPermittedOrgsFunction            *InitPermittedOrgsFunction
+	s50IDPTemplate6UsePKCE                  *IDPTemplate6UsePKCE
 }
 
 func MustNewSteps(v *viper.Viper) *Steps {

cmd/setup/setup.go

@@ -175,6 +175,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 	steps.s47FillMembershipFields = &FillMembershipFields{eventstore: eventstoreClient}
 	steps.s48Apps7SAMLConfigsLoginVersion = &Apps7SAMLConfigsLoginVersion{dbClient: dbClient}
 	steps.s49InitPermittedOrgsFunction = &InitPermittedOrgsFunction{eventstoreClient: dbClient}
+	steps.s50IDPTemplate6UsePKCE = &IDPTemplate6UsePKCE{dbClient: dbClient}
 
 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -240,6 +241,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s46InitPermissionFunctions,
 		steps.s47FillMembershipFields,
 		steps.s49InitPermittedOrgsFunction,
+		steps.s50IDPTemplate6UsePKCE,
 	} {
 		mustExecuteMigration(ctx, eventstoreClient, step, "migration failed")
 	}

console/src/app/modules/providers/provider-oauth/provider-oauth.component.html

@@ -110,6 +110,15 @@
             </cnsl-form-field>
           </div>
 
+          <div class="specific-oauth-option">
+            <cnsl-info-section>
+              <div>
+                <p class="checkbox-desc">{{ 'IDP.USEPKCE_DESC' | translate }}</p>
+                <mat-checkbox formControlName="usePkce">{{ 'IDP.USEPKCE' | translate }}</mat-checkbox>
+              </div>
+            </cnsl-info-section>
+          </div>
+
           <cnsl-provider-options
             [initialOptions]="provider?.config?.options"
             (optionsChanged)="options = $event"

console/src/app/modules/providers/provider-oauth/provider-oauth.component.scss

@@ -0,0 +1,8 @@
+.specific-oauth-option {
+  max-width: 500px;
+
+  .checkbox-desc {
+    margin-top: 0;
+    margin-bottom: 0.5rem;
+  }
+}

console/src/app/modules/providers/provider-oauth/provider-oauth.component.ts

@@ -28,6 +28,7 @@ import { ProviderNextService } from '../provider-next/provider-next.service';
 
 @Component({
   selector: 'cnsl-provider-oauth',
+  styleUrls: ['./provider-oauth.component.scss'],
   templateUrl: './provider-oauth.component.html',
 })
 export class ProviderOAuthComponent {
@@ -88,6 +89,7 @@ export class ProviderOAuthComponent {
       userEndpoint: new UntypedFormControl('', [requiredValidator]),
       idAttribute: new UntypedFormControl('', [requiredValidator]),
       scopesList: new UntypedFormControl(['openid', 'profile', 'email'], []),
+      usePkce: new UntypedFormControl(false),
     });
 
     this.authService
@@ -187,6 +189,7 @@ export class ProviderOAuthComponent {
     req.setClientSecret(this.clientSecret?.value);
     req.setScopesList(this.scopesList?.value);
     req.setProviderOptions(this.options);
+    req.setUsePkce(this.usePkce?.value);
 
     this.loading = true;
     this.service
@@ -217,6 +220,7 @@ export class ProviderOAuthComponent {
       req.setClientSecret(this.clientSecret?.value);
       req.setScopesList(this.scopesList?.value);
       req.setProviderOptions(this.options);
+      req.setUsePkce(this.usePkce?.value);
 
       this.loading = true;
       this.service
@@ -297,4 +301,8 @@ export class ProviderOAuthComponent {
   public get scopesList(): AbstractControl | null {
     return this.form.get('scopesList');
   }
+
+  public get usePkce(): AbstractControl | null {
+    return this.form.get('usePkce');
+  }
 }

console/src/app/modules/providers/provider-oidc/provider-oidc.component.html

@@ -92,14 +92,22 @@
             </cnsl-form-field>
           </div>
 
-          <div class="id-token-mapping">
+          <div class="specific-oidc-option">
             <cnsl-info-section>
               <div>
                 <p class="checkbox-desc">{{ 'IDP.ISIDTOKENMAPPING_DESC' | translate }}</p>
                 <mat-checkbox formControlName="isIdTokenMapping">{{ 'IDP.ISIDTOKENMAPPING' | translate }}</mat-checkbox>
               </div>
             </cnsl-info-section>
+
+            <cnsl-info-section>
+              <div>
+                <p class="checkbox-desc">{{ 'IDP.USEPKCE_DESC' | translate }}</p>
+                <mat-checkbox formControlName="usePkce">{{ 'IDP.USEPKCE' | translate }}</mat-checkbox>
+              </div>
+            </cnsl-info-section>
           </div>
+
           <cnsl-provider-options
             [initialOptions]="provider?.config?.options"
             (optionsChanged)="options = $event"

console/src/app/modules/providers/provider-oidc/provider-oidc.component.scss

@@ -1,5 +1,7 @@
-.id-token-mapping {
+.specific-oidc-option {
-  max-width: 400px;
+  max-width: 500px;
+  display: flex;
+  flex-direction: column;
 
   .checkbox-desc {
     margin-top: 0;

console/src/app/modules/providers/provider-oidc/provider-oidc.component.ts

@@ -85,6 +85,7 @@ export class ProviderOIDCComponent {
       issuer: new UntypedFormControl('', [requiredValidator]),
       scopesList: new UntypedFormControl(['openid', 'profile', 'email'], []),
       isIdTokenMapping: new UntypedFormControl(),
+      usePkce: new UntypedFormControl(false),
     });
 
     this.route.data.pipe(take(1)).subscribe((data) => {
@@ -165,6 +166,7 @@ export class ProviderOIDCComponent {
     req.setScopesList(this.scopesList?.value);
     req.setProviderOptions(this.options);
     req.setIsIdTokenMapping(this.isIdTokenMapping?.value);
+    req.setUsePkce(this.usePkce?.value);
 
     this.loading = true;
     this.service
@@ -193,6 +195,7 @@ export class ProviderOIDCComponent {
       req.setScopesList(this.scopesList?.value);
       req.setProviderOptions(this.options);
       req.setIsIdTokenMapping(this.isIdTokenMapping?.value);
+      req.setUsePkce(this.usePkce?.value);
 
       this.loading = true;
       this.service
@@ -261,4 +264,8 @@ export class ProviderOIDCComponent {
   public get isIdTokenMapping(): AbstractControl | null {
     return this.form.get('isIdTokenMapping');
   }
+
+  public get usePkce(): AbstractControl | null {
+    return this.form.get('usePkce');
+  }
 }

console/src/assets/i18n/bg.json

@@ -2200,7 +2200,9 @@
       "REMOVED": "Премахнато успешно."
     },
     "ISIDTOKENMAPPING": "Съответствие от ID токен",
-    "ISIDTOKENMAPPING_DESC": "Ако е избрано, информацията на доставчика се съответства от ID токена, а не от userinfo крайната точка."
+    "ISIDTOKENMAPPING_DESC": "Ако е избрано, информацията на доставчика се съответства от ID токена, а не от userinfo крайната точка.",
+    "USEPKCE": "Използвайте PKCE",
+    "USEPKCE_DESC": "Определя дали параметрите code_challenge и code_challenge_method са включени в заявката за удостоверяване"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/cs.json

@@ -2213,7 +2213,9 @@
       "REMOVED": "Úspěšně odebráno."
     },
     "ISIDTOKENMAPPING": "Mapování z ID tokenu",
-    "ISIDTOKENMAPPING_DESC": "Pokud je vybráno, informace o poskytovateli jsou mapovány z ID tokenu, nikoli z koncového bodu userinfo."
+    "ISIDTOKENMAPPING_DESC": "Pokud je vybráno, informace o poskytovateli jsou mapovány z ID tokenu, nikoli z koncového bodu userinfo.",
+    "USEPKCE": "Použijte PKCE",
+    "USEPKCE_DESC": "Určuje, zda jsou v požadavku na ověření zahrnuty parametry code_challenge a code_challenge_method"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/de.json

@@ -2204,7 +2204,9 @@
       "REMOVED": "Erfolgreich entfernt."
     },
     "ISIDTOKENMAPPING": "Zuordnung vom ID-Token",
-    "ISIDTOKENMAPPING_DESC": "Legt fest, ob für das Mapping der Provider Informationen das ID-Token verwendet werden soll, anstatt des Userinfo-Endpoints."
+    "ISIDTOKENMAPPING_DESC": "Legt fest, ob für das Mapping der Provider Informationen das ID-Token verwendet werden soll, anstatt des Userinfo-Endpoints.",
+    "USEPKCE": "Verwenden Sie PKCE",
+    "USEPKCE_DESC": "Bestimmt, ob die Parameter code_challenge und code_challenge_method in der Authentifizierungsanforderung enthalten sind"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/en.json

@@ -2225,7 +2225,9 @@
       "REMOVED": "Removed successfully."
     },
     "ISIDTOKENMAPPING": "Map from the ID token",
-    "ISIDTOKENMAPPING_DESC": "If selected, provider information gets mapped from the ID token, not from the userinfo endpoint."
+    "ISIDTOKENMAPPING_DESC": "If selected, provider information gets mapped from the ID token, not from the userinfo endpoint.",
+    "USEPKCE": "Use PKCE",
+    "USEPKCE_DESC": "Determines whether the code_challenge and code_challenge_method params are included in the auth request"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/es.json

@@ -2201,7 +2201,9 @@
       "REMOVED": "Eliminado con éxito."
     },
     "ISIDTOKENMAPPING": "Asignación del ID token",
-    "ISIDTOKENMAPPING_DESC": "Si se selecciona, la información del proveedor se asigna desde el ID token, no desde el punto final de userinfo."
+    "ISIDTOKENMAPPING_DESC": "Si se selecciona, la información del proveedor se asigna desde el ID token, no desde el punto final de userinfo.",
+    "USEPKCE": "Usa PKCE",
+    "USEPKCE_DESC": "Determina si los parámetros code_challenge y code_challenge_method son incluidos en la solicitud de autenticación."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/fr.json

@@ -2205,7 +2205,9 @@
       "REMOVED": "Suppression réussie."
     },
     "ISIDTOKENMAPPING": "Mappage depuis le jeton ID",
-    "ISIDTOKENMAPPING_DESC": "Si sélectionné, les informations du fournisseur sont mappées à partir du jeton ID, et non à partir du point d'extrémité userinfo."
+    "ISIDTOKENMAPPING_DESC": "Si sélectionné, les informations du fournisseur sont mappées à partir du jeton ID, et non à partir du point d'extrémité userinfo.",
+    "USEPKCE": "Utiliser PKCE",
+    "USEPKCE_DESC": "Détermine si les paramètres code_challenge et code_challenge_method sont inclus dans la demande d'authentification"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/hu.json

@@ -2223,7 +2223,9 @@
       "REMOVED": "Sikeresen eltávolítva."
     },
     "ISIDTOKENMAPPING": "Hozzárendelés az ID token alapján",
-    "ISIDTOKENMAPPING_DESC": "Ha ezt választod, a szolgáltatói információkat az ID token alapján rendeljük hozzá, nem a userinfo végpontból."
+    "ISIDTOKENMAPPING_DESC": "Ha ezt választod, a szolgáltatói információkat az ID token alapján rendeljük hozzá, nem a userinfo végpontból.",
+    "USEPKCE": "PKCE használata",
+    "USEPKCE_DESC": "Meghatározza, hogy a code_challenge és a code_challenge_method paraméterek szerepeljenek-e a hitelesítési kérelemben"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/id.json

@@ -2006,7 +2006,9 @@
       "REMOVED": "Berhasil dihapus."
     },
     "ISIDTOKENMAPPING": "Peta dari token ID",
-    "ISIDTOKENMAPPING_DESC": "Jika dipilih, informasi penyedia akan dipetakan dari token ID, bukan dari titik akhir info pengguna."
+    "ISIDTOKENMAPPING_DESC": "Jika dipilih, informasi penyedia akan dipetakan dari token ID, bukan dari titik akhir info pengguna.",
+    "USEPKCE": "Gunakan PKCE",
+    "USEPKCE_DESC": "Menentukan apakah parameter code_challenge dan code_challenge_method disertakan dalam permintaan autentikasi"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/it.json

@@ -2205,7 +2205,9 @@
       "REMOVED": "Rimosso con successo."
     },
     "ISIDTOKENMAPPING": "Mappatura dal token ID",
-    "ISIDTOKENMAPPING_DESC": "Se selezionato, le informazioni del provider vengono mappate dal token ID, non dal punto finale userinfo."
+    "ISIDTOKENMAPPING_DESC": "Se selezionato, le informazioni del provider vengono mappate dal token ID, non dal punto finale userinfo.",
+    "USEPKCE": "Usa PKCE",
+    "USEPKCE_DESC": "Determina se i parametri code_challenge e code_challenge_method sono inclusi nella richiesta di autenticazione"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/ja.json

@@ -2225,7 +2225,9 @@
       "REMOVED": "正常に削除されました。"
     },
     "ISIDTOKENMAPPING": "IDトークンからのマッピング",
-    "ISIDTOKENMAPPING_DESC": "選択された場合、プロバイダ情報はIDトークンからマッピングされ、userinfoエンドポイントからではありません。"
+    "ISIDTOKENMAPPING_DESC": "選択された場合、プロバイダ情報はIDトークンからマッピングされ、userinfoエンドポイントからではありません。",
+    "USEPKCE": "PKCEを使用する",
+    "USEPKCE_DESC": "code_challenge パラメータと code_challenge_method パラメータが認証リクエストに含まれるかどうかを決定します。"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/ko.json

@@ -2225,7 +2225,9 @@
       "REMOVED": "성공적으로 제거되었습니다."
     },
     "ISIDTOKENMAPPING": "ID 토큰에서 매핑",
-    "ISIDTOKENMAPPING_DESC": "선택 시, 사용자 정보 엔드포인트가 아닌 ID 토큰에서 제공자 정보를 매핑합니다."
+    "ISIDTOKENMAPPING_DESC": "선택 시, 사용자 정보 엔드포인트가 아닌 ID 토큰에서 제공자 정보를 매핑합니다.",
+    "USEPKCE": "PKCE 사용",
+    "USEPKCE_DESC": "code_challenge 및 code_challenge_method 매개변수가 인증 요청에 포함되는지 여부를 결정합니다"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/mk.json

@@ -2201,7 +2201,9 @@
       "REMOVED": "Успешно отстрането."
     },
     "ISIDTOKENMAPPING": "Совпаѓање од ID токен",
-    "ISIDTOKENMAPPING_DESC": "Ако е избрано, информациите од провајдерот се мапираат од ID токенот, а не од userinfo крајната точка."
+    "ISIDTOKENMAPPING_DESC": "Ако е избрано, информациите од провајдерот се мапираат од ID токенот, а не од userinfo крајната точка.",
+    "USEPKCE": "Користете PKCE",
+    "USEPKCE_DESC": "Определува дали параметрите code_challenge и code_challenge_method се вклучени во барањето за авторизација"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/nl.json

@@ -2220,7 +2220,9 @@
       "REMOVED": "Succesvol verwijderd."
     },
     "ISIDTOKENMAPPING": "Kaart van de ID token",
-    "ISIDTOKENMAPPING_DESC": "Als geselecteerd, wordt provider informatie in kaart gebracht van de ID token, niet van de userinfo eindpunt."
+    "ISIDTOKENMAPPING_DESC": "Als geselecteerd, wordt provider informatie in kaart gebracht van de ID token, niet van de userinfo eindpunt.",
+    "USEPKCE": "Gebruik PKCE",
+    "USEPKCE_DESC": "Bepaalt of de parameters code_challenge en code_challenge_method zijn opgenomen in het verificatieverzoek"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/pl.json

@@ -2204,7 +2204,9 @@
       "REMOVED": "Usunięto pomyślnie."
     },
     "ISIDTOKENMAPPING": "Mapowanie z tokena ID",
-    "ISIDTOKENMAPPING_DESC": "Jeśli wybrane, informacje dostawcy są mapowane z tokena ID, a nie z punktu końcowego userinfo."
+    "ISIDTOKENMAPPING_DESC": "Jeśli wybrane, informacje dostawcy są mapowane z tokena ID, a nie z punktu końcowego userinfo.",
+    "USEPKCE": "Skorzystaj z PKCE",
+    "USEPKCE_DESC": "Określa, czy parametry code_challenge i code_challenge_method są uwzględnione w żądaniu uwierzytelnienia"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/pt.json

@@ -2200,7 +2200,9 @@
       "REMOVED": "Removido com sucesso."
     },
     "ISIDTOKENMAPPING": "Mapeamento do token ID",
-    "ISIDTOKENMAPPING_DESC": "Se selecionado, as informações do provedor são mapeadas a partir do token ID, e não do ponto final userinfo."
+    "ISIDTOKENMAPPING_DESC": "Se selecionado, as informações do provedor são mapeadas a partir do token ID, e não do ponto final userinfo.",
+    "USEPKCE": "Usar PKCE",
+    "USEPKCE_DESC": "Determina se os parâmetros code_challenge e code_challenge_method estão incluídos na solicitação de autenticação"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/ru.json

@@ -2316,7 +2316,9 @@
       "REMOVED": "Удалено успешно."
     },
     "ISIDTOKENMAPPING": "Карта из ID-токена",
-    "ISIDTOKENMAPPING_DESC": "Если этот флажок установлен, информация о поставщике сопоставляется с маркером идентификатора, а не с конечной точкой информации о пользователе."
+    "ISIDTOKENMAPPING_DESC": "Если этот флажок установлен, информация о поставщике сопоставляется с маркером идентификатора, а не с конечной точкой информации о пользователе.",
+    "USEPKCE": "Используйте ПКСЕ",
+    "USEPKCE_DESC": "Определяет, включены ли параметры code_challenge и code_challenge_method в запрос аутентификации."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/sv.json

@@ -2229,7 +2229,9 @@
       "REMOVED": "Borttagen framgångsrikt."
     },
     "ISIDTOKENMAPPING": "Mappa från ID-token",
-    "ISIDTOKENMAPPING_DESC": "Om valt, mappas leverantörsinformation från ID-token, inte från användarinfo-slutpunkten."
+    "ISIDTOKENMAPPING_DESC": "Om valt, mappas leverantörsinformation från ID-token, inte från användarinfo-slutpunkten.",
+    "USEPKCE": "Använd PKCE",
+    "USEPKCE_DESC": "Avgör om parametrarna code_challenge och code_challenge_method ingår i autentiseringsbegäran"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/zh.json

@@ -2204,7 +2204,9 @@
       "REMOVED": "成功删除。"
     },
     "ISIDTOKENMAPPING": "从ID令牌映射",
-    "ISIDTOKENMAPPING_DESC": "如果选中，提供商信息将从ID令牌映射，而不是从userinfo端点。"
+    "ISIDTOKENMAPPING_DESC": "如果选中，提供商信息将从ID令牌映射，而不是从userinfo端点。",
+    "USEPKCE": "使用PKCE",
+    "USEPKCE_DESC": "确定 auth 请求中是否包含 code_challenge 和 code_challenge_method 参数"
   },
   "MFA": {
     "LIST": {

docs/docs/guides/integrate/identity-providers/keycloak.mdx

@@ -50,6 +50,9 @@ A useful default will be filled if you don't change anything.
 This information will be taken to create/update the user within ZITADEL.
 ZITADEL ensures that at least the `openid`-scope is always sent.
 
+**Use PKCE**: If enabled, the provider will use Proof Key for Code Exchange (PKCE) to secure the authorization code flow
+in addition to the client secret.
+
 <GeneralConfigDescription provider_account="Keycloak account" />
 
 ![Keycloak Provider](/img/guides/zitadel_keycloak_create_provider.png)

docs/docs/guides/integrate/identity-providers/okta-oidc.mdx

@@ -49,6 +49,9 @@ A useful default will be filled if you don't change anything.
 This information will be taken to create/update the user within ZITADEL.
 ZITADEL ensures that at least the `openid`-scope is always sent.
 
+**Use PKCE**: If enabled, the provider will use Proof Key for Code Exchange (PKCE) to secure the authorization code flow
+in addition to the client secret.
+
 <GeneralConfigDescription provider_account="OKTA account" />
 
 ### Activate IdP

internal/api/grpc/admin/idp_converter.go

@@ -215,6 +215,7 @@ func addGenericOAuthProviderToCommand(req *admin_pb.AddGenericOAuthProviderReque
 		UserEndpoint:          req.UserEndpoint,
 		Scopes:                req.Scopes,
 		IDAttribute:           req.IdAttribute,
+		UsePKCE:               req.UsePkce,
 		IDPOptions:            idp_grpc.OptionsToCommand(req.ProviderOptions),
 	}
 }
@@ -229,6 +230,7 @@ func updateGenericOAuthProviderToCommand(req *admin_pb.UpdateGenericOAuthProvide
 		UserEndpoint:          req.UserEndpoint,
 		Scopes:                req.Scopes,
 		IDAttribute:           req.IdAttribute,
+		UsePKCE:               req.UsePkce,
 		IDPOptions:            idp_grpc.OptionsToCommand(req.ProviderOptions),
 	}
 }
@@ -241,6 +243,7 @@ func addGenericOIDCProviderToCommand(req *admin_pb.AddGenericOIDCProviderRequest
 		ClientSecret:     req.ClientSecret,
 		Scopes:           req.Scopes,
 		IsIDTokenMapping: req.IsIdTokenMapping,
+		UsePKCE:          req.UsePkce,
 		IDPOptions:       idp_grpc.OptionsToCommand(req.ProviderOptions),
 	}
 }
@@ -253,6 +256,7 @@ func updateGenericOIDCProviderToCommand(req *admin_pb.UpdateGenericOIDCProviderR
 		ClientSecret:     req.ClientSecret,
 		Scopes:           req.Scopes,
 		IsIDTokenMapping: req.IsIdTokenMapping,
+		UsePKCE:          req.UsePkce,
 		IDPOptions:       idp_grpc.OptionsToCommand(req.ProviderOptions),
 	}
 }

internal/api/grpc/idp/converter.go

@@ -504,6 +504,7 @@ func oauthConfigToPb(providerConfig *idp_pb.ProviderConfig, template *query.OAut
 			UserEndpoint:          template.UserEndpoint,
 			Scopes:                template.Scopes,
 			IdAttribute:           template.IDAttribute,
+			UsePkce:               template.UsePKCE,
 		},
 	}
 }
@@ -515,6 +516,7 @@ func oidcConfigToPb(providerConfig *idp_pb.ProviderConfig, template *query.OIDCI
 			Issuer:           template.Issuer,
 			Scopes:           template.Scopes,
 			IsIdTokenMapping: template.IsIDTokenMapping,
+			UsePkce:          template.UsePKCE,
 		},
 	}
 }

internal/api/grpc/management/idp_converter.go

@@ -209,6 +209,7 @@ func addGenericOAuthProviderToCommand(req *mgmt_pb.AddGenericOAuthProviderReques
 		Scopes:                req.Scopes,
 		IDAttribute:           req.IdAttribute,
 		IDPOptions:            idp_grpc.OptionsToCommand(req.ProviderOptions),
+		UsePKCE:               req.UsePkce,
 	}
 }
 
@@ -223,6 +224,7 @@ func updateGenericOAuthProviderToCommand(req *mgmt_pb.UpdateGenericOAuthProvider
 		Scopes:                req.Scopes,
 		IDAttribute:           req.IdAttribute,
 		IDPOptions:            idp_grpc.OptionsToCommand(req.ProviderOptions),
+		UsePKCE:               req.UsePkce,
 	}
 }
 
@@ -234,6 +236,7 @@ func addGenericOIDCProviderToCommand(req *mgmt_pb.AddGenericOIDCProviderRequest)
 		ClientSecret:     req.ClientSecret,
 		Scopes:           req.Scopes,
 		IsIDTokenMapping: req.IsIdTokenMapping,
+		UsePKCE:          req.UsePkce,
 		IDPOptions:       idp_grpc.OptionsToCommand(req.ProviderOptions),
 	}
 }
@@ -246,6 +249,7 @@ func updateGenericOIDCProviderToCommand(req *mgmt_pb.UpdateGenericOIDCProviderRe
 		ClientSecret:     req.ClientSecret,
 		Scopes:           req.Scopes,
 		IsIDTokenMapping: req.IsIdTokenMapping,
+		UsePKCE:          req.UsePkce,
 		IDPOptions:       idp_grpc.OptionsToCommand(req.ProviderOptions),
 	}
 }

internal/api/grpc/user/v2/user.go

@@ -368,31 +368,31 @@ func (s *Server) StartIdentityProviderIntent(ctx context.Context, req *user.Star
 }
 
 func (s *Server) startIDPIntent(ctx context.Context, idpID string, urls *user.RedirectURLs) (*user.StartIdentityProviderIntentResponse, error) {
-	intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, urls.GetSuccessUrl(), urls.GetFailureUrl(), authz.GetInstance(ctx).InstanceID())
+	state, session, err := s.command.AuthFromProvider(ctx, idpID, s.idpCallback(ctx), s.samlRootURL(ctx, idpID))
 	if err != nil {
 		return nil, err
 	}
-	content, redirect, err := s.command.AuthFromProvider(ctx, idpID, intentWriteModel.AggregateID, s.idpCallback(ctx), s.samlRootURL(ctx, idpID))
+	_, details, err := s.command.CreateIntent(ctx, state, idpID, urls.GetSuccessUrl(), urls.GetFailureUrl(), authz.GetInstance(ctx).InstanceID(), session.PersistentParameters())
 	if err != nil {
 		return nil, err
 	}
+	content, redirect := session.GetAuth(ctx)
 	if redirect {
 		return &user.StartIdentityProviderIntentResponse{
 			Details:  object.DomainToDetailsPb(details),
 			NextStep: &user.StartIdentityProviderIntentResponse_AuthUrl{AuthUrl: content},
 		}, nil
-	} else {
-		return &user.StartIdentityProviderIntentResponse{
-			Details: object.DomainToDetailsPb(details),
-			NextStep: &user.StartIdentityProviderIntentResponse_PostForm{
-				PostForm: []byte(content),
-			},
-		}, nil
 	}
+	return &user.StartIdentityProviderIntentResponse{
+		Details: object.DomainToDetailsPb(details),
+		NextStep: &user.StartIdentityProviderIntentResponse_PostForm{
+			PostForm: []byte(content),
+		},
+	}, nil
 }
 
 func (s *Server) startLDAPIntent(ctx context.Context, idpID string, ldapCredentials *user.LDAPCredentials) (*user.StartIdentityProviderIntentResponse, error) {
-	intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, "", "", authz.GetInstance(ctx).InstanceID())
+	intentWriteModel, details, err := s.command.CreateIntent(ctx, "", idpID, "", "", authz.GetInstance(ctx).InstanceID(), nil)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/user/v2beta/user.go

@@ -371,31 +371,31 @@ func (s *Server) StartIdentityProviderIntent(ctx context.Context, req *user.Star
 }
 
 func (s *Server) startIDPIntent(ctx context.Context, idpID string, urls *user.RedirectURLs) (*user.StartIdentityProviderIntentResponse, error) {
-	intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, urls.GetSuccessUrl(), urls.GetFailureUrl(), authz.GetInstance(ctx).InstanceID())
+	state, session, err := s.command.AuthFromProvider(ctx, idpID, s.idpCallback(ctx), s.samlRootURL(ctx, idpID))
 	if err != nil {
 		return nil, err
 	}
-	content, redirect, err := s.command.AuthFromProvider(ctx, idpID, intentWriteModel.AggregateID, s.idpCallback(ctx), s.samlRootURL(ctx, idpID))
+	_, details, err := s.command.CreateIntent(ctx, state, idpID, urls.GetSuccessUrl(), urls.GetFailureUrl(), authz.GetInstance(ctx).InstanceID(), session.PersistentParameters())
 	if err != nil {
 		return nil, err
 	}
+	content, redirect := session.GetAuth(ctx)
 	if redirect {
 		return &user.StartIdentityProviderIntentResponse{
 			Details:  object.DomainToDetailsPb(details),
 			NextStep: &user.StartIdentityProviderIntentResponse_AuthUrl{AuthUrl: content},
 		}, nil
-	} else {
-		return &user.StartIdentityProviderIntentResponse{
-			Details: object.DomainToDetailsPb(details),
-			NextStep: &user.StartIdentityProviderIntentResponse_PostForm{
-				PostForm: []byte(content),
-			},
-		}, nil
 	}
+	return &user.StartIdentityProviderIntentResponse{
+		Details: object.DomainToDetailsPb(details),
+		NextStep: &user.StartIdentityProviderIntentResponse_PostForm{
+			PostForm: []byte(content),
+		},
+	}, nil
 }
 
 func (s *Server) startLDAPIntent(ctx context.Context, idpID string, ldapCredentials *user.LDAPCredentials) (*user.StartIdentityProviderIntentResponse, error) {
-	intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, "", "", authz.GetInstance(ctx).InstanceID())
+	intentWriteModel, details, err := s.command.CreateIntent(ctx, "", idpID, "", "", authz.GetInstance(ctx).InstanceID(), nil)
 	if err != nil {
 		return nil, err
 	}

internal/api/idp/idp.go

@@ -328,7 +328,7 @@ func (h *Handler) handleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	idpUser, idpSession, err := h.fetchIDPUserFromCode(ctx, provider, data.Code, data.User)
+	idpUser, idpSession, err := h.fetchIDPUserFromCode(ctx, provider, data.Code, data.User, intent.IDPArguments)
 	if err != nil {
 		cmdErr := h.commands.FailIDPIntent(ctx, intent, err.Error())
 		logging.WithFields("intent", intent.AggregateID).OnError(cmdErr).Error("failed to push failed event on idp intent")
@@ -410,23 +410,23 @@ func redirectToFailureURL(w http.ResponseWriter, r *http.Request, i *command.IDP
 	http.Redirect(w, r, i.FailureURL.String(), http.StatusFound)
 }
 
-func (h *Handler) fetchIDPUserFromCode(ctx context.Context, identityProvider idp.Provider, code string, appleUser string) (user idp.User, idpTokens idp.Session, err error) {
+func (h *Handler) fetchIDPUserFromCode(ctx context.Context, identityProvider idp.Provider, code string, appleUser string, idpArguments map[string]any) (user idp.User, idpTokens idp.Session, err error) {
 	var session idp.Session
 	switch provider := identityProvider.(type) {
 	case *oauth.Provider:
-		session = &oauth.Session{Provider: provider, Code: code}
+		session = oauth.NewSession(provider, code, idpArguments)
 	case *openid.Provider:
-		session = &openid.Session{Provider: provider, Code: code}
+		session = openid.NewSession(provider, code, idpArguments)
 	case *azuread.Provider:
-		session = &azuread.Session{Provider: provider, Code: code}
+		session = azuread.NewSession(provider, code)
 	case *github.Provider:
-		session = &oauth.Session{Provider: provider.Provider, Code: code}
+		session = oauth.NewSession(provider.Provider, code, idpArguments)
 	case *gitlab.Provider:
-		session = &openid.Session{Provider: provider.Provider, Code: code}
+		session = openid.NewSession(provider.Provider, code, idpArguments)
 	case *google.Provider:
-		session = &openid.Session{Provider: provider.Provider, Code: code}
+		session = openid.NewSession(provider.Provider, code, idpArguments)
 	case *apple.Provider:
-		session = &apple.Session{Session: &openid.Session{Provider: provider.Provider, Code: code}, UserFormValue: appleUser}
+		session = apple.NewSession(provider, code, appleUser)
 	case *jwt.Provider, *ldap.Provider, *saml2.Provider:
 		return nil, nil, zerrors.ThrowInvalidArgument(nil, "IDP-52jmn", "Errors.ExternalIDP.IDPTypeNotImplemented")
 	default:

internal/api/ui/login/external_provider_handler.go

@@ -149,14 +149,7 @@ func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *domai
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, identityProvider.ID, userAgentID)
-	if err != nil {
-		l.externalAuthFailed(w, r, authReq, err)
-		return
-	}
 	var provider idp.Provider
-
 	switch identityProvider.Type {
 	case domain.IDPTypeOAuth:
 		provider, err = l.oauthProvider(r.Context(), identityProvider)
@@ -199,6 +192,13 @@ func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *domai
 		return
 	}
 
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, identityProvider.ID, userAgentID, session.PersistentParameters())
+	if err != nil {
+		l.externalAuthFailed(w, r, authReq, err)
+		return
+	}
+
 	content, redirect := session.GetAuth(r.Context())
 	if redirect {
 		http.Redirect(w, r, content, http.StatusFound)
@@ -271,79 +271,78 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 		l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 		return
 	}
-	var provider idp.Provider
 	var session idp.Session
 	switch identityProvider.Type {
 	case domain.IDPTypeOAuth:
-		provider, err = l.oauthProvider(r.Context(), identityProvider)
+		provider, err := l.oauthProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &oauth.Session{Provider: provider.(*oauth.Provider), Code: data.Code}
+		session = oauth.NewSession(provider, data.Code, authReq.SelectedIDPConfigArgs)
 	case domain.IDPTypeOIDC:
-		provider, err = l.oidcProvider(r.Context(), identityProvider)
+		provider, err := l.oidcProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &openid.Session{Provider: provider.(*openid.Provider), Code: data.Code}
+		session = openid.NewSession(provider, data.Code, authReq.SelectedIDPConfigArgs)
 	case domain.IDPTypeAzureAD:
-		provider, err = l.azureProvider(r.Context(), identityProvider)
+		provider, err := l.azureProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &azuread.Session{Provider: provider.(*azuread.Provider), Code: data.Code}
+		session = azuread.NewSession(provider, data.Code)
 	case domain.IDPTypeGitHub:
-		provider, err = l.githubProvider(r.Context(), identityProvider)
+		provider, err := l.githubProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &oauth.Session{Provider: provider.(*github.Provider).Provider, Code: data.Code}
+		session = oauth.NewSession(provider.Provider, data.Code, authReq.SelectedIDPConfigArgs)
 	case domain.IDPTypeGitHubEnterprise:
-		provider, err = l.githubEnterpriseProvider(r.Context(), identityProvider)
+		provider, err := l.githubEnterpriseProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &oauth.Session{Provider: provider.(*github.Provider).Provider, Code: data.Code}
+		session = oauth.NewSession(provider.Provider, data.Code, authReq.SelectedIDPConfigArgs)
 	case domain.IDPTypeGitLab:
-		provider, err = l.gitlabProvider(r.Context(), identityProvider)
+		provider, err := l.gitlabProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &openid.Session{Provider: provider.(*gitlab.Provider).Provider, Code: data.Code}
+		session = openid.NewSession(provider.Provider, data.Code, authReq.SelectedIDPConfigArgs)
 	case domain.IDPTypeGitLabSelfHosted:
-		provider, err = l.gitlabSelfHostedProvider(r.Context(), identityProvider)
+		provider, err := l.gitlabSelfHostedProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &openid.Session{Provider: provider.(*gitlab.Provider).Provider, Code: data.Code}
+		session = openid.NewSession(provider.Provider, data.Code, authReq.SelectedIDPConfigArgs)
 	case domain.IDPTypeGoogle:
-		provider, err = l.googleProvider(r.Context(), identityProvider)
+		provider, err := l.googleProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &openid.Session{Provider: provider.(*google.Provider).Provider, Code: data.Code}
+		session = openid.NewSession(provider.Provider, data.Code, authReq.SelectedIDPConfigArgs)
 	case domain.IDPTypeApple:
-		provider, err = l.appleProvider(r.Context(), identityProvider)
+		provider, err := l.appleProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &apple.Session{Session: &openid.Session{Provider: provider.(*apple.Provider).Provider, Code: data.Code}, UserFormValue: data.User}
+		session = apple.NewSession(provider, data.Code, data.User)
 	case domain.IDPTypeSAML:
-		provider, err = l.samlProvider(r.Context(), identityProvider)
+		provider, err := l.samlProvider(r.Context(), identityProvider)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session, err = saml.NewSession(provider.(*saml.Provider), authReq.SAMLRequestID, r)
+		session, err = saml.NewSession(provider, authReq.SAMLRequestID, r)
 		if err != nil {
 			l.externalAuthCallbackFailed(w, r, authReq, nil, nil, err)
 			return
@@ -440,7 +439,7 @@ func (l *Login) handleExternalUserAuthenticated(
 ) {
 	externalUser := mapIDPUserToExternalUser(user, provider.ID)
 	// ensure the linked IDP is added to the login policy
-	if err := l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, provider.ID, authReq.AgentID); err != nil {
+	if err := l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, provider.ID, authReq.AgentID, authReq.SelectedIDPConfigArgs); err != nil {
 		l.renderError(w, r, authReq, err)
 		return
 	}
@@ -1005,11 +1004,17 @@ func (l *Login) oidcProvider(ctx context.Context, identityProvider *query.IDPTem
 	if err != nil {
 		return nil, err
 	}
-	opts := make([]openid.ProviderOpts, 1, 2)
+	opts := make([]openid.ProviderOpts, 1, 3)
 	opts[0] = openid.WithSelectAccount()
 	if identityProvider.OIDCIDPTemplate.IsIDTokenMapping {
 		opts = append(opts, openid.WithIDTokenMapping())
 	}
+
+	if identityProvider.OIDCIDPTemplate.UsePKCE {
+		// we do not pass any cookie handler, since we store the verifier internally, rather than in a cookie
+		opts = append(opts, openid.WithRelyingPartyOption(rp.WithPKCE(nil)))
+	}
+
 	return openid.New(identityProvider.Name,
 		identityProvider.OIDCIDPTemplate.Issuer,
 		identityProvider.OIDCIDPTemplate.ClientID,
@@ -1047,6 +1052,12 @@ func (l *Login) oauthProvider(ctx context.Context, identityProvider *query.IDPTe
 		RedirectURL: l.baseURL(ctx) + EndpointExternalLoginCallback,
 		Scopes:      identityProvider.OAuthIDPTemplate.Scopes,
 	}
+
+	opts := make([]oauth.ProviderOpts, 0, 1)
+	if identityProvider.OAuthIDPTemplate.UsePKCE {
+		// we do not pass any cookie handler, since we store the verifier internally, rather than in a cookie
+		opts = append(opts, oauth.WithRelyingPartyOption(rp.WithPKCE(nil)))
+	}
 	return oauth.New(
 		config,
 		identityProvider.Name,
@@ -1054,6 +1065,7 @@ func (l *Login) oauthProvider(ctx context.Context, identityProvider *query.IDPTe
 		func() idp.User {
 			return oauth.NewUserMapper(identityProvider.OAuthIDPTemplate.IDAttribute)
 		},
+		opts...,
 	)
 }
 

internal/api/ui/login/jwt_handler.go

@@ -81,7 +81,7 @@ func (l *Login) handleJWTExtraction(w http.ResponseWriter, r *http.Request, auth
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	session := &jwt.Session{Provider: provider, Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{IDToken: token, Token: &oauth2.Token{}}}
+	session := jwt.NewSession(provider, &oidc.Tokens[*oidc.IDTokenClaims]{IDToken: token, Token: &oauth2.Token{}})
 	user, err := session.FetchUser(r.Context())
 	if err != nil {
 		if _, _, actionErr := l.runPostExternalAuthenticationActions(new(domain.ExternalUser), tokens(session), authReq, r, user, err); actionErr != nil {

internal/api/ui/login/ldap_handler.go

@@ -66,7 +66,7 @@ func (l *Login) handleLDAPCallback(w http.ResponseWriter, r *http.Request) {
 		l.renderLDAPLogin(w, r, authReq, err)
 		return
 	}
-	session := &ldap.Session{Provider: provider, User: data.Username, Password: data.Password}
+	session := ldap.NewSession(provider, data.Username, data.Password)
 
 	user, err := session.FetchUser(r.Context())
 	if err != nil {

internal/auth/repository/auth_request.go

@@ -20,7 +20,7 @@ type AuthRequestRepository interface {
 	SetExternalUserLogin(ctx context.Context, authReqID, userAgentID string, user *domain.ExternalUser) error
 	SetLinkingUser(ctx context.Context, request *domain.AuthRequest, externalUser *domain.ExternalUser) error
 	SelectUser(ctx context.Context, authReqID, userID, userAgentID string) error
-	SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string) error
+	SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string, idpArguments map[string]any) error
 	VerifyPassword(ctx context.Context, id, userID, resourceOwner, password, userAgentID string, info *domain.BrowserInfo) error
 
 	VerifyMFAOTP(ctx context.Context, authRequestID, userID, resourceOwner, code, userAgentID string, info *domain.BrowserInfo) error

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -255,14 +255,14 @@ func (repo *AuthRequestRepo) CheckLoginName(ctx context.Context, id, loginName,
 	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
 }
 
-func (repo *AuthRequestRepo) SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string) (err error) {
+func (repo *AuthRequestRepo) SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string, idpArguments map[string]any) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
 	if err != nil {
 		return err
 	}
-	err = repo.checkSelectedExternalIDP(request, idpConfigID)
+	err = repo.checkSelectedExternalIDP(request, idpConfigID, idpArguments)
 	if err != nil {
 		return err
 	}
@@ -984,10 +984,11 @@ func queryLoginPolicyToDomain(policy *query.LoginPolicy) *domain.LoginPolicy {
 	}
 }
 
-func (repo *AuthRequestRepo) checkSelectedExternalIDP(request *domain.AuthRequest, idpConfigID string) error {
+func (repo *AuthRequestRepo) checkSelectedExternalIDP(request *domain.AuthRequest, idpConfigID string, idpArguments map[string]any) error {
 	for _, externalIDP := range request.AllowedExternalIDPs {
 		if externalIDP.IDPConfigID == idpConfigID {
 			request.SelectedIDPConfigID = idpConfigID
+			request.SelectedIDPConfigArgs = idpArguments
 			return nil
 		}
 	}

internal/command/idp.go

@@ -20,6 +20,7 @@ type GenericOAuthProvider struct {
 	UserEndpoint          string
 	Scopes                []string
 	IDAttribute           string
+	UsePKCE               bool
 	IDPOptions            idp.Options
 }
 
@@ -30,6 +31,7 @@ type GenericOIDCProvider struct {
 	ClientSecret     string
 	Scopes           []string
 	IsIDTokenMapping bool
+	UsePKCE          bool
 	IDPOptions       idp.Options
 }
 

internal/command/idp_intent.go

@@ -25,7 +25,7 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
-func (c *Commands) prepareCreateIntent(writeModel *IDPIntentWriteModel, idpID, successURL, failureURL string) preparation.Validation {
+func (c *Commands) prepareCreateIntent(writeModel *IDPIntentWriteModel, idpID, successURL, failureURL string, idpArguments map[string]any) preparation.Validation {
 	return func() (_ preparation.CreateCommands, err error) {
 		if idpID == "" {
 			return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-x8j2bk", "Errors.Intent.IDPMissing")
@@ -53,24 +53,25 @@ func (c *Commands) prepareCreateIntent(writeModel *IDPIntentWriteModel, idpID, s
 					successURL,
 					failureURL,
 					idpID,
+					idpArguments,
 				),
 			}, nil
 		}, nil
 	}
 }
 
-func (c *Commands) CreateIntent(ctx context.Context, idpID, successURL, failureURL, resourceOwner string) (*IDPIntentWriteModel, *domain.ObjectDetails, error) {
+func (c *Commands) CreateIntent(ctx context.Context, intentID, idpID, successURL, failureURL, resourceOwner string, idpArguments map[string]any) (*IDPIntentWriteModel, *domain.ObjectDetails, error) {
-	id, err := c.idGenerator.Next()
+	if intentID == "" {
-	if err != nil {
+		var err error
-		return nil, nil, err
+		intentID, err = c.idGenerator.Next()
-	}
+		if err != nil {
-	writeModel := NewIDPIntentWriteModel(id, resourceOwner)
+			return nil, nil, err
-	if err != nil {
+		}
-		return nil, nil, err
 	}
+	writeModel := NewIDPIntentWriteModel(intentID, resourceOwner)
 
 	//nolint: staticcheck
-	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, c.prepareCreateIntent(writeModel, idpID, successURL, failureURL))
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, c.prepareCreateIntent(writeModel, idpID, successURL, failureURL, idpArguments))
 	if err != nil {
 		return nil, nil, err
 	}
@@ -132,18 +133,17 @@ func (c *Commands) GetActiveIntent(ctx context.Context, intentID string) (*IDPIn
 	return intent, nil
 }
 
-func (c *Commands) AuthFromProvider(ctx context.Context, idpID, state string, idpCallback, samlRootURL string) (string, bool, error) {
+func (c *Commands) AuthFromProvider(ctx context.Context, idpID, idpCallback, samlRootURL string) (state string, session idp.Session, err error) {
+	state, err = c.idGenerator.Next()
+	if err != nil {
+		return "", nil, err
+	}
 	provider, err := c.GetProvider(ctx, idpID, idpCallback, samlRootURL)
 	if err != nil {
-		return "", false, err
+		return "", nil, err
 	}
-	session, err := provider.BeginAuth(ctx, state)
+	session, err = provider.BeginAuth(ctx, state)
-	if err != nil {
+	return state, session, err
-		return "", false, err
-	}
-
-	content, redirect := session.GetAuth(ctx)
-	return content, redirect, nil
 }
 
 func getIDPIntentWriteModel(ctx context.Context, writeModel *IDPIntentWriteModel, filter preparation.FilterToQueryReducer) error {

internal/command/idp_intent_model.go

@@ -12,13 +12,14 @@ import (
 type IDPIntentWriteModel struct {
 	eventstore.WriteModel
 
-	SuccessURL  *url.URL
+	SuccessURL   *url.URL
-	FailureURL  *url.URL
+	FailureURL   *url.URL
-	IDPID       string
+	IDPID        string
-	IDPUser     []byte
+	IDPArguments map[string]any
-	IDPUserID   string
+	IDPUser      []byte
-	IDPUserName string
+	IDPUserID    string
-	UserID      string
+	IDPUserName  string
+	UserID       string
 
 	IDPAccessToken *crypto.CryptoValue
 	IDPIDToken     string
@@ -81,6 +82,7 @@ func (wm *IDPIntentWriteModel) reduceStartedEvent(e *idpintent.StartedEvent) {
 	wm.SuccessURL = e.SuccessURL
 	wm.FailureURL = e.FailureURL
 	wm.IDPID = e.IDPID
+	wm.IDPArguments = e.IDPArguments
 	wm.State = domain.IDPIntentStateStarted
 }
 

internal/command/idp_intent_test.go

@@ -39,11 +39,13 @@ func TestCommands_CreateIntent(t *testing.T) {
 		idGenerator id.Generator
 	}
 	type args struct {
-		ctx        context.Context
+		ctx          context.Context
-		idpID      string
+		intentID     string
-		successURL string
+		idpID        string
-		failureURL string
+		successURL   string
-		instanceID string
+		failureURL   string
+		instanceID   string
+		idpArguments map[string]any
 	}
 	type res struct {
 		intentID string
@@ -182,6 +184,7 @@ func TestCommands_CreateIntent(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								true,
 								rep_idp.Options{},
 							)),
 					),
@@ -195,6 +198,7 @@ func TestCommands_CreateIntent(t *testing.T) {
 								success,
 								failure,
 								"idp",
+								nil,
 							)
 						}(),
 					),
@@ -235,6 +239,7 @@ func TestCommands_CreateIntent(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								true,
 								rep_idp.Options{},
 							)),
 					),
@@ -248,6 +253,9 @@ func TestCommands_CreateIntent(t *testing.T) {
 								success,
 								failure,
 								"idp",
+								map[string]interface{}{
+									"verifier": "pkceOAuthVerifier",
+								},
 							)
 						}(),
 					),
@@ -260,6 +268,9 @@ func TestCommands_CreateIntent(t *testing.T) {
 				idpID:      "idp",
 				successURL: "https://success.url",
 				failureURL: "https://failure.url",
+				idpArguments: map[string]interface{}{
+					"verifier": "pkceOAuthVerifier",
+				},
 			},
 			res{
 				intentID: "id",
@@ -288,6 +299,7 @@ func TestCommands_CreateIntent(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								true,
 								rep_idp.Options{},
 							)),
 					),
@@ -301,6 +313,9 @@ func TestCommands_CreateIntent(t *testing.T) {
 								success,
 								failure,
 								"idp",
+								map[string]interface{}{
+									"verifier": "pkceOAuthVerifier",
+								},
 							)
 						}(),
 					),
@@ -313,6 +328,69 @@ func TestCommands_CreateIntent(t *testing.T) {
 				idpID:      "idp",
 				successURL: "https://success.url",
 				failureURL: "https://failure.url",
+				idpArguments: map[string]interface{}{
+					"verifier": "pkceOAuthVerifier",
+				},
+			},
+			res{
+				intentID: "id",
+				details:  &domain.ObjectDetails{ResourceOwner: "instance"},
+			},
+		},
+		{
+			"push, with id",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
+								"idp",
+								"name",
+								"clientID",
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("clientSecret"),
+								},
+								"auth",
+								"token",
+								"user",
+								"idAttribute",
+								nil,
+								true,
+								rep_idp.Options{},
+							)),
+					),
+					expectPush(
+						func() eventstore.Command {
+							success, _ := url.Parse("https://success.url")
+							failure, _ := url.Parse("https://failure.url")
+							return idpintent.NewStartedEvent(
+								context.Background(),
+								&idpintent.NewAggregate("id", "instance").Aggregate,
+								success,
+								failure,
+								"idp",
+								map[string]interface{}{
+									"verifier": "pkceOAuthVerifier",
+								},
+							)
+						}(),
+					),
+				),
+			},
+			args{
+				ctx:        context.Background(),
+				instanceID: "instance",
+				intentID:   "id",
+				idpID:      "idp",
+				successURL: "https://success.url",
+				failureURL: "https://failure.url",
+				idpArguments: map[string]interface{}{
+					"verifier": "pkceOAuthVerifier",
+				},
 			},
 			res{
 				intentID: "id",
@@ -326,7 +404,7 @@ func TestCommands_CreateIntent(t *testing.T) {
 				eventstore:  tt.fields.eventstore(t),
 				idGenerator: tt.fields.idGenerator,
 			}
-			intentWriteModel, details, err := c.CreateIntent(tt.args.ctx, tt.args.idpID, tt.args.successURL, tt.args.failureURL, tt.args.instanceID)
+			intentWriteModel, details, err := c.CreateIntent(tt.args.ctx, tt.args.intentID, tt.args.idpID, tt.args.successURL, tt.args.failureURL, tt.args.instanceID, tt.args.idpArguments)
 			require.ErrorIs(t, err, tt.res.err)
 			if intentWriteModel != nil {
 				assert.Equal(t, tt.res.intentID, intentWriteModel.AggregateID)
@@ -342,11 +420,11 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 	type fields struct {
 		eventstore   func(t *testing.T) *eventstore.Eventstore
 		secretCrypto crypto.EncryptionAlgorithm
+		idGenerator  id.Generator
 	}
 	type args struct {
 		ctx         context.Context
 		idpID       string
-		state       string
 		callbackURL string
 		samlRootURL string
 	}
@@ -361,6 +439,22 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 		args   args
 		res    res
 	}{
+		{
+			"error no id generator",
+			fields{
+				secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				eventstore:   expectEventstore(),
+				idGenerator:  mock.NewIDGeneratorExpectError(t, zerrors.ThrowInternal(nil, "", "error id")),
+			},
+			args{
+				ctx:         authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
+				idpID:       "idp",
+				callbackURL: "url",
+			},
+			res{
+				err: zerrors.ThrowInternal(nil, "", "error id"),
+			},
+		},
 		{
 			"idp not existing",
 			fields{
@@ -368,11 +462,11 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 				eventstore: expectEventstore(
 					expectFilter(),
 				),
+				idGenerator: mock.ExpectID(t, "id"),
 			},
 			args{
 				ctx:         authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
 				idpID:       "idp",
-				state:       "state",
 				callbackURL: "url",
 			},
 			res{
@@ -402,6 +496,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								true,
 								rep_idp.Options{},
 							)),
 						eventFromEventPusherWithInstanceID(
@@ -412,11 +507,11 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 						),
 					),
 				),
+				idGenerator: mock.ExpectID(t, "id"),
 			},
 			args{
 				ctx:         authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
 				idpID:       "idp",
-				state:       "state",
 				callbackURL: "url",
 			},
 			res{
@@ -446,6 +541,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								true,
 								rep_idp.Options{},
 							)),
 					),
@@ -467,19 +563,20 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								true,
 								rep_idp.Options{},
 							)),
 					),
 				),
+				idGenerator: mock.ExpectID(t, "id"),
 			},
 			args{
 				ctx:         authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
 				idpID:       "idp",
-				state:       "state",
 				callbackURL: "url",
 			},
 			res{
-				content:  "auth?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&state=state",
+				content:  "auth?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&state=id",
 				redirect: true,
 			},
 		},
@@ -504,6 +601,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 								},
 								[]string{"openid", "profile", "User.Read"},
 								false,
+								true,
 								rep_idp.Options{},
 							)),
 						eventFromEventPusherWithInstanceID(
@@ -540,6 +638,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 								},
 								[]string{"openid", "profile", "User.Read"},
 								false,
+								true,
 								rep_idp.Options{},
 							)),
 						eventFromEventPusherWithInstanceID(
@@ -561,15 +660,15 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 							)),
 					),
 				),
+				idGenerator: mock.ExpectID(t, "id"),
 			},
 			args{
 				ctx:         authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
 				idpID:       "idp",
-				state:       "state",
 				callbackURL: "url",
 			},
 			res{
-				content:  "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&scope=openid+profile+User.Read&state=state",
+				content:  "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&scope=openid+profile+User.Read&state=id",
 				redirect: true,
 			},
 		},
@@ -579,9 +678,16 @@ func TestCommands_AuthFromProvider(t *testing.T) {
 			c := &Commands{
 				eventstore:          tt.fields.eventstore(t),
 				idpConfigEncryption: tt.fields.secretCrypto,
+				idGenerator:         tt.fields.idGenerator,
 			}
-			content, redirect, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.state, tt.args.callbackURL, tt.args.samlRootURL)
+			_, session, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.callbackURL, tt.args.samlRootURL)
 			require.ErrorIs(t, err, tt.res.err)
+
+			var content string
+			var redirect bool
+			if err == nil {
+				content, redirect = session.GetAuth(tt.args.ctx)
+			}
 			assert.Equal(t, tt.res.redirect, redirect)
 			assert.Equal(t, tt.res.content, content)
 		})
@@ -592,11 +698,11 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 	type fields struct {
 		eventstore   func(t *testing.T) *eventstore.Eventstore
 		secretCrypto crypto.EncryptionAlgorithm
+		idGenerator  id.Generator
 	}
 	type args struct {
 		ctx         context.Context
 		idpID       string
-		state       string
 		callbackURL string
 		samlRootURL string
 	}
@@ -669,6 +775,7 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 									success,
 									failure,
 									"idp",
+									nil,
 								)
 							}(),
 						),
@@ -683,11 +790,11 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 						},
 					),
 				),
+				idGenerator: mock.ExpectID(t, "id"),
 			},
 			args{
 				ctx:         authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
 				idpID:       "idp",
-				state:       "id",
 				callbackURL: "url",
 				samlRootURL: "samlurl",
 			},
@@ -705,10 +812,12 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 			c := &Commands{
 				eventstore:          tt.fields.eventstore(t),
 				idpConfigEncryption: tt.fields.secretCrypto,
+				idGenerator:         tt.fields.idGenerator,
 			}
-			content, _, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.state, tt.args.callbackURL, tt.args.samlRootURL)
+			_, session, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.callbackURL, tt.args.samlRootURL)
 			require.ErrorIs(t, err, tt.res.err)
 
+			content, _ := session.GetAuth(tt.args.ctx)
 			authURL, err := url.Parse(content)
 			require.NoError(t, err)
 

internal/command/idp_model.go

@@ -45,6 +45,7 @@ type OAuthIDPWriteModel struct {
 	UserEndpoint          string
 	Scopes                []string
 	IDAttribute           string
+	UsePKCE               bool
 	idp.Options
 
 	State domain.IDPState
@@ -73,6 +74,7 @@ func (wm *OAuthIDPWriteModel) reduceAddedEvent(e *idp.OAuthIDPAddedEvent) {
 	wm.UserEndpoint = e.UserEndpoint
 	wm.Scopes = e.Scopes
 	wm.IDAttribute = e.IDAttribute
+	wm.UsePKCE = e.UsePKCE
 	wm.Options = e.Options
 	wm.State = domain.IDPStateActive
 }
@@ -102,6 +104,9 @@ func (wm *OAuthIDPWriteModel) reduceChangedEvent(e *idp.OAuthIDPChangedEvent) {
 	if e.IDAttribute != nil {
 		wm.IDAttribute = *e.IDAttribute
 	}
+	if e.UsePKCE != nil {
+		wm.UsePKCE = *e.UsePKCE
+	}
 	wm.Options.ReduceChanges(e.OptionChanges)
 }
 
@@ -115,6 +120,7 @@ func (wm *OAuthIDPWriteModel) NewChanges(
 	userEndpoint,
 	idAttribute string,
 	scopes []string,
+	usePKCE bool,
 	options idp.Options,
 ) ([]idp.OAuthIDPChanges, error) {
 	changes := make([]idp.OAuthIDPChanges, 0)
@@ -148,6 +154,9 @@ func (wm *OAuthIDPWriteModel) NewChanges(
 	if wm.IDAttribute != idAttribute {
 		changes = append(changes, idp.ChangeOAuthIDAttribute(idAttribute))
 	}
+	if wm.UsePKCE != usePKCE {
+		changes = append(changes, idp.ChangeOAuthUsePKCE(usePKCE))
+	}
 	opts := wm.Options.Changes(options)
 	if !opts.IsZero() {
 		changes = append(changes, idp.ChangeOAuthOptions(opts))
@@ -208,6 +217,7 @@ type OIDCIDPWriteModel struct {
 	ClientSecret     *crypto.CryptoValue
 	Scopes           []string
 	IsIDTokenMapping bool
+	UsePKCE          bool
 	idp.Options
 
 	State domain.IDPState
@@ -248,6 +258,7 @@ func (wm *OIDCIDPWriteModel) reduceAddedEvent(e *idp.OIDCIDPAddedEvent) {
 	wm.ClientSecret = e.ClientSecret
 	wm.Scopes = e.Scopes
 	wm.IsIDTokenMapping = e.IsIDTokenMapping
+	wm.UsePKCE = e.UsePKCE
 	wm.Options = e.Options
 	wm.State = domain.IDPStateActive
 }
@@ -271,6 +282,9 @@ func (wm *OIDCIDPWriteModel) reduceChangedEvent(e *idp.OIDCIDPChangedEvent) {
 	if e.IsIDTokenMapping != nil {
 		wm.IsIDTokenMapping = *e.IsIDTokenMapping
 	}
+	if e.UsePKCE != nil {
+		wm.UsePKCE = *e.UsePKCE
+	}
 	wm.Options.ReduceChanges(e.OptionChanges)
 }
 
@@ -281,7 +295,7 @@ func (wm *OIDCIDPWriteModel) NewChanges(
 	clientSecretString string,
 	secretCrypto crypto.EncryptionAlgorithm,
 	scopes []string,
-	idTokenMapping bool,
+	idTokenMapping, usePKCE bool,
 	options idp.Options,
 ) ([]idp.OIDCIDPChanges, error) {
 	changes := make([]idp.OIDCIDPChanges, 0)
@@ -309,6 +323,9 @@ func (wm *OIDCIDPWriteModel) NewChanges(
 	if wm.IsIDTokenMapping != idTokenMapping {
 		changes = append(changes, idp.ChangeOIDCIsIDTokenMapping(idTokenMapping))
 	}
+	if wm.UsePKCE != usePKCE {
+		changes = append(changes, idp.ChangeOIDCUsePKCE(usePKCE))
+	}
 	opts := wm.Options.Changes(options)
 	if !opts.IsZero() {
 		changes = append(changes, idp.ChangeOIDCOptions(opts))

internal/command/instance_idp.go

@@ -656,6 +656,7 @@ func (c *Commands) prepareAddInstanceOAuthProvider(a *instance.Aggregate, writeM
 					provider.UserEndpoint,
 					provider.IDAttribute,
 					provider.Scopes,
+					provider.UsePKCE,
 					provider.IDPOptions,
 				),
 			}, nil
@@ -711,6 +712,7 @@ func (c *Commands) prepareUpdateInstanceOAuthProvider(a *instance.Aggregate, wri
 				provider.UserEndpoint,
 				provider.IDAttribute,
 				provider.Scopes,
+				provider.UsePKCE,
 				provider.IDPOptions,
 			)
 			if err != nil || event == nil {
@@ -759,6 +761,7 @@ func (c *Commands) prepareAddInstanceOIDCProvider(a *instance.Aggregate, writeMo
 					secret,
 					provider.Scopes,
 					provider.IsIDTokenMapping,
+					provider.UsePKCE,
 					provider.IDPOptions,
 				),
 			}, nil
@@ -803,6 +806,7 @@ func (c *Commands) prepareUpdateInstanceOIDCProvider(a *instance.Aggregate, writ
 				c.idpConfigEncryption,
 				provider.Scopes,
 				provider.IsIDTokenMapping,
+				provider.UsePKCE,
 				provider.IDPOptions,
 			)
 			if err != nil || event == nil {

internal/command/instance_idp_model.go

@@ -68,6 +68,7 @@ func (wm *InstanceOAuthIDPWriteModel) NewChangedEvent(
 	userEndpoint,
 	idAttribute string,
 	scopes []string,
+	usePKCE bool,
 	options idp.Options,
 ) (*instance.OAuthIDPChangedEvent, error) {
 
@@ -81,6 +82,7 @@ func (wm *InstanceOAuthIDPWriteModel) NewChangedEvent(
 		userEndpoint,
 		idAttribute,
 		scopes,
+		usePKCE,
 		options,
 	)
 	if err != nil || len(changes) == 0 {
@@ -174,7 +176,7 @@ func (wm *InstanceOIDCIDPWriteModel) NewChangedEvent(
 	clientSecretString string,
 	secretCrypto crypto.EncryptionAlgorithm,
 	scopes []string,
-	idTokenMapping bool,
+	idTokenMapping, usePKCE bool,
 	options idp.Options,
 ) (*instance.OIDCIDPChangedEvent, error) {
 
@@ -186,6 +188,7 @@ func (wm *InstanceOIDCIDPWriteModel) NewChangedEvent(
 		secretCrypto,
 		scopes,
 		idTokenMapping,
+		usePKCE,
 		options,
 	)
 	if err != nil || len(changes) == 0 {

internal/command/instance_idp_test.go

@@ -270,6 +270,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
 							"user",
 							"idAttribute",
 							nil,
+							true,
 							idp.Options{},
 						),
 					),
@@ -287,6 +288,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
 					TokenEndpoint:         "token",
 					UserEndpoint:          "user",
 					IDAttribute:           "idAttribute",
+					UsePKCE:               true,
 				},
 			},
 			res: res{
@@ -315,6 +317,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
 							"user",
 							"idAttribute",
 							[]string{"user"},
+							true,
 							idp.Options{
 								IsCreationAllowed: true,
 								IsLinkingAllowed:  true,
@@ -338,6 +341,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
 					UserEndpoint:          "user",
 					Scopes:                []string{"user"},
 					IDAttribute:           "idAttribute",
+					UsePKCE:               true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -569,6 +573,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								true,
 								idp.Options{},
 							)),
 					),
@@ -584,6 +589,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
 					TokenEndpoint:         "token",
 					UserEndpoint:          "user",
 					IDAttribute:           "idAttribute",
+					UsePKCE:               true,
 				},
 			},
 			res: res{
@@ -611,6 +617,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -633,6 +640,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
 									idp.ChangeOAuthUserEndpoint("new user"),
 									idp.ChangeOAuthScopes([]string{"openid", "profile"}),
 									idp.ChangeOAuthIDAttribute("newAttribute"),
+									idp.ChangeOAuthUsePKCE(true),
 									idp.ChangeOAuthOptions(idp.OptionChanges{
 										IsCreationAllowed: &t,
 										IsLinkingAllowed:  &t,
@@ -659,6 +667,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
 					UserEndpoint:          "new user",
 					Scopes:                []string{"openid", "profile"},
 					IDAttribute:           "newAttribute",
+					UsePKCE:               true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -805,6 +814,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
 							},
 							nil,
 							false,
+							true,
 							idp.Options{},
 						),
 					),
@@ -819,6 +829,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
 					Issuer:       "issuer",
 					ClientID:     "clientID",
 					ClientSecret: "clientSecret",
+					UsePKCE:      true,
 				},
 			},
 			res: res{
@@ -845,6 +856,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
 							},
 							[]string{openid.ScopeOpenID},
 							true,
+							true,
 							idp.Options{
 								IsCreationAllowed: true,
 								IsLinkingAllowed:  true,
@@ -866,6 +878,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
 					ClientSecret:     "clientSecret",
 					Scopes:           []string{openid.ScopeOpenID},
 					IsIDTokenMapping: true,
+					UsePKCE:          true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -1029,6 +1042,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1066,6 +1080,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1086,6 +1101,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
 									}),
 									idp.ChangeOIDCScopes([]string{"openid", "profile"}),
 									idp.ChangeOIDCIsIDTokenMapping(true),
+									idp.ChangeOIDCUsePKCE(true),
 									idp.ChangeOIDCOptions(idp.OptionChanges{
 										IsCreationAllowed: &t,
 										IsLinkingAllowed:  &t,
@@ -1110,6 +1126,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
 					ClientSecret:     "newSecret",
 					Scopes:           []string{"openid", "profile"},
 					IsIDTokenMapping: true,
+					UsePKCE:          true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -1253,6 +1270,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1311,6 +1329,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1475,6 +1494,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1527,6 +1547,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),

internal/command/org_idp.go

@@ -628,6 +628,7 @@ func (c *Commands) prepareAddOrgOAuthProvider(a *org.Aggregate, writeModel *OrgO
 					provider.UserEndpoint,
 					provider.IDAttribute,
 					provider.Scopes,
+					provider.UsePKCE,
 					provider.IDPOptions,
 				),
 			}, nil
@@ -683,6 +684,7 @@ func (c *Commands) prepareUpdateOrgOAuthProvider(a *org.Aggregate, writeModel *O
 				provider.UserEndpoint,
 				provider.IDAttribute,
 				provider.Scopes,
+				provider.UsePKCE,
 				provider.IDPOptions,
 			)
 			if err != nil || event == nil {
@@ -731,6 +733,7 @@ func (c *Commands) prepareAddOrgOIDCProvider(a *org.Aggregate, writeModel *OrgOI
 					secret,
 					provider.Scopes,
 					provider.IsIDTokenMapping,
+					provider.UsePKCE,
 					provider.IDPOptions,
 				),
 			}, nil
@@ -775,6 +778,7 @@ func (c *Commands) prepareUpdateOrgOIDCProvider(a *org.Aggregate, writeModel *Or
 				c.idpConfigEncryption,
 				provider.Scopes,
 				provider.IsIDTokenMapping,
+				provider.UsePKCE,
 				provider.IDPOptions,
 			)
 			if err != nil || event == nil {

internal/command/org_idp_model.go

@@ -70,6 +70,7 @@ func (wm *OrgOAuthIDPWriteModel) NewChangedEvent(
 	userEndpoint,
 	idAttribute string,
 	scopes []string,
+	usePKCE bool,
 	options idp.Options,
 ) (*org.OAuthIDPChangedEvent, error) {
 
@@ -83,6 +84,7 @@ func (wm *OrgOAuthIDPWriteModel) NewChangedEvent(
 		userEndpoint,
 		idAttribute,
 		scopes,
+		usePKCE,
 		options,
 	)
 	if err != nil || len(changes) == 0 {
@@ -176,7 +178,7 @@ func (wm *OrgOIDCIDPWriteModel) NewChangedEvent(
 	clientSecretString string,
 	secretCrypto crypto.EncryptionAlgorithm,
 	scopes []string,
-	idTokenMapping bool,
+	idTokenMapping, usePKCE bool,
 	options idp.Options,
 ) (*org.OIDCIDPChangedEvent, error) {
 
@@ -188,6 +190,7 @@ func (wm *OrgOIDCIDPWriteModel) NewChangedEvent(
 		secretCrypto,
 		scopes,
 		idTokenMapping,
+		usePKCE,
 		options,
 	)
 	if err != nil || len(changes) == 0 {

internal/command/org_idp_test.go

@@ -210,6 +210,7 @@ func TestCommandSide_AddOrgGenericOAuthProvider(t *testing.T) {
 							"user",
 							"idAttribute",
 							nil,
+							false,
 							idp.Options{},
 						),
 					),
@@ -256,6 +257,7 @@ func TestCommandSide_AddOrgGenericOAuthProvider(t *testing.T) {
 							"user",
 							"idAttribute",
 							[]string{"user"},
+							true,
 							idp.Options{
 								IsCreationAllowed: true,
 								IsLinkingAllowed:  true,
@@ -280,6 +282,7 @@ func TestCommandSide_AddOrgGenericOAuthProvider(t *testing.T) {
 					UserEndpoint:          "user",
 					Scopes:                []string{"user"},
 					IDAttribute:           "idAttribute",
+					UsePKCE:               true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -520,6 +523,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -536,6 +540,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
 					TokenEndpoint:         "token",
 					UserEndpoint:          "user",
 					IDAttribute:           "idAttribute",
+					UsePKCE:               false,
 				},
 			},
 			res: res{
@@ -563,6 +568,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
 								"user",
 								"idAttribute",
 								nil,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -585,6 +591,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
 									idp.ChangeOAuthUserEndpoint("new user"),
 									idp.ChangeOAuthScopes([]string{"openid", "profile"}),
 									idp.ChangeOAuthIDAttribute("newAttribute"),
+									idp.ChangeOAuthUsePKCE(true),
 									idp.ChangeOAuthOptions(idp.OptionChanges{
 										IsCreationAllowed: &t,
 										IsLinkingAllowed:  &t,
@@ -612,6 +619,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
 					UserEndpoint:          "new user",
 					Scopes:                []string{"openid", "profile"},
 					IDAttribute:           "newAttribute",
+					UsePKCE:               true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -763,6 +771,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) {
 							},
 							nil,
 							false,
+							false,
 							idp.Options{},
 						),
 					),
@@ -804,6 +813,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) {
 							},
 							[]string{openid.ScopeOpenID},
 							true,
+							true,
 							idp.Options{
 								IsCreationAllowed: true,
 								IsLinkingAllowed:  true,
@@ -826,6 +836,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) {
 					ClientSecret:     "clientSecret",
 					Scopes:           []string{openid.ScopeOpenID},
 					IsIDTokenMapping: true,
+					UsePKCE:          true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -995,6 +1006,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1033,6 +1045,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1053,6 +1066,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
 									}),
 									idp.ChangeOIDCScopes([]string{"openid", "profile"}),
 									idp.ChangeOIDCIsIDTokenMapping(true),
+									idp.ChangeOIDCUsePKCE(true),
 									idp.ChangeOIDCOptions(idp.OptionChanges{
 										IsCreationAllowed: &t,
 										IsLinkingAllowed:  &t,
@@ -1078,6 +1092,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
 					ClientSecret:     "newSecret",
 					Scopes:           []string{"openid", "profile"},
 					IsIDTokenMapping: true,
+					UsePKCE:          true,
 					IDPOptions: idp.Options{
 						IsCreationAllowed: true,
 						IsLinkingAllowed:  true,
@@ -1225,6 +1240,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1284,6 +1300,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1452,6 +1469,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),
@@ -1505,6 +1523,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) {
 								},
 								nil,
 								false,
+								false,
 								idp.Options{},
 							)),
 					),

internal/command/session_test.go

@@ -837,6 +837,7 @@ func TestCommands_updateSession(t *testing.T) {
 								nil,
 								nil,
 								"idpID",
+								nil,
 							),
 						),
 						eventFromEventPusher(

internal/domain/auth_request.go

@@ -43,6 +43,7 @@ type AuthRequest struct {
 	ApplicationResourceOwner string
 	PrivateLabelingSetting   PrivateLabelingSetting
 	SelectedIDPConfigID      string
+	SelectedIDPConfigArgs    map[string]any
 	LinkingUsers             []*ExternalUser
 	PossibleSteps            []NextStep `json:"-"`
 	PasswordVerified         bool

internal/idp/providers/apple/session.go

@@ -17,6 +17,10 @@ type Session struct {
 	UserFormValue string
 }
 
+func NewSession(provider *Provider, code, userFormValue string) *Session {
+	return &Session{Session: oidc.NewSession(provider.Provider, code, nil), UserFormValue: userFormValue}
+}
+
 type userFormValue struct {
 	Name userNamesFormValue `json:"name,omitempty" schema:"name"`
 }

internal/idp/providers/azuread/session.go

@@ -20,6 +20,10 @@ type Session struct {
 	OAuthSession *oauth.Session
 }
 
+func NewSession(provider *Provider, code string) *Session {
+	return &Session{Provider: provider, Code: code}
+}
+
 // GetAuth implements the [idp.Provider] interface by calling the wrapped [oauth.Session].
 func (s *Session) GetAuth(ctx context.Context) (content string, redirect bool) {
 	return s.oauth().GetAuth(ctx)
@@ -39,6 +43,11 @@ func (s *Session) RetrievePreviousID() (string, error) {
 	return userinfo.Subject, nil
 }
 
+// PersistentParameters implements the [idp.Session] interface.
+func (s *Session) PersistentParameters() map[string]any {
+	return nil
+}
+
 // FetchUser implements the [idp.Session] interface.
 // It will execute an OAuth 2.0 code exchange if needed to retrieve the access token,
 // call the specified userEndpoint and map the received information into an [idp.User].

internal/idp/providers/jwt/session.go

@@ -30,11 +30,20 @@ type Session struct {
 	Tokens  *oidc.Tokens[*oidc.IDTokenClaims]
 }
 
+func NewSession(provider *Provider, tokens *oidc.Tokens[*oidc.IDTokenClaims]) *Session {
+	return &Session{Provider: provider, Tokens: tokens}
+}
+
 // GetAuth implements the [idp.Session] interface.
 func (s *Session) GetAuth(ctx context.Context) (string, bool) {
 	return idp.Redirect(s.AuthURL)
 }
 
+// PersistentParameters implements the [idp.Session] interface.
+func (s *Session) PersistentParameters() map[string]any {
+	return nil
+}
+
 // FetchUser implements the [idp.Session] interface.
 // It will map the received idToken into an [idp.User].
 func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {

internal/idp/providers/ldap/session.go

@@ -34,11 +34,21 @@ type Session struct {
 	Entry    *ldap.Entry
 }
 
+func NewSession(provider *Provider, username, password string) *Session {
+	return &Session{Provider: provider, User: username, Password: password}
+}
+
 // GetAuth implements the [idp.Session] interface.
 func (s *Session) GetAuth(ctx context.Context) (string, bool) {
 	return idp.Redirect(s.loginUrl)
 }
 
+// PersistentParameters implements the [idp.Session] interface.
+func (s *Session) PersistentParameters() map[string]any {
+	return nil
+}
+
+// FetchUser implements the [idp.Session] interface.
 func (s *Session) FetchUser(_ context.Context) (_ idp.User, err error) {
 	var user *ldap.Entry
 	for _, server := range s.Provider.servers {

internal/idp/providers/oauth/oauth2.go

@@ -23,6 +23,7 @@ type Provider struct {
 	isCreationAllowed bool
 	isAutoCreation    bool
 	isAutoUpdate      bool
+	generateVerifier  func() string
 }
 
 type ProviderOpts func(provider *Provider)
@@ -66,9 +67,10 @@ func WithRelyingPartyOption(option rp.Option) ProviderOpts {
 // New creates a generic OAuth 2.0 provider
 func New(config *oauth2.Config, name, userEndpoint string, userMapper func() idp.User, options ...ProviderOpts) (provider *Provider, err error) {
 	provider = &Provider{
-		name:         name,
+		name:             name,
-		userEndpoint: userEndpoint,
+		userEndpoint:     userEndpoint,
-		userMapper:   userMapper,
+		userMapper:       userMapper,
+		generateVerifier: oauth2.GenerateVerifier,
 	}
 	for _, option := range options {
 		option(provider)
@@ -99,8 +101,15 @@ func (p *Provider) BeginAuth(ctx context.Context, state string, params ...idp.Pa
 	if !loginHintSet {
 		opts = append(opts, rp.WithPrompt(oidc.PromptSelectAccount))
 	}
+
+	var codeVerifier string
+	if p.RelyingParty.IsPKCE() {
+		codeVerifier = p.generateVerifier()
+		opts = append(opts, rp.WithCodeChallenge(oidc.NewSHACodeChallenge(codeVerifier)))
+	}
+
 	url := rp.AuthURL(state, p.RelyingParty, opts...)
-	return &Session{AuthURL: url, Provider: p}, nil
+	return &Session{AuthURL: url, Provider: p, CodeVerifier: codeVerifier}, nil
 }
 
 func loginHint(hint string) rp.AuthURLOpt {

internal/idp/providers/oauth/oauth2_test.go

@@ -18,6 +18,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 		name         string
 		userEndpoint string
 		userMapper   func() idp.User
+		options      []ProviderOpts
 	}
 	tests := []struct {
 		name   string
@@ -25,7 +26,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 		want   idp.Session
 	}{
 		{
-			name: "successful auth",
+			name: "successful auth without PKCE",
 			fields: fields{
 				config: &oauth2.Config{
 					ClientID:     "clientID",
@@ -40,14 +41,40 @@ func TestProvider_BeginAuth(t *testing.T) {
 			},
 			want: &Session{AuthURL: "https://oauth2.com/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=user&state=testState"},
 		},
+		{
+			name: "successful auth with PKCE",
+			fields: fields{
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				options: []ProviderOpts{
+					WithLinkingAllowed(),
+					WithCreationAllowed(),
+					WithAutoCreation(),
+					WithAutoUpdate(),
+					WithRelyingPartyOption(rp.WithPKCE(nil)),
+				},
+			},
+			want: &Session{AuthURL: "https://oauth2.com/authorize?client_id=clientID&code_challenge=2ZoH_a01aprzLkwVbjlPsBo4m8mJ_zOKkaDqYM7Oh5w&code_challenge_method=S256&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=user&state=testState"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			a := assert.New(t)
 			r := require.New(t)
 
-			provider, err := New(tt.fields.config, tt.fields.name, tt.fields.userEndpoint, tt.fields.userMapper)
+			provider, err := New(tt.fields.config, tt.fields.name, tt.fields.userEndpoint, tt.fields.userMapper, tt.fields.options...)
 			r.NoError(err)
+			provider.generateVerifier = func() string {
+				return "pkceOAuthVerifier"
+			}
 
 			ctx := context.Background()
 			session, err := provider.BeginAuth(ctx, "testState")

internal/idp/providers/oauth/session.go

@@ -14,22 +14,40 @@ import (
 
 var ErrCodeMissing = errors.New("no auth code provided")
 
+const (
+	CodeVerifier = "codeVerifier"
+)
+
 var _ idp.Session = (*Session)(nil)
 
 // Session is the [idp.Session] implementation for the OAuth2.0 provider.
 type Session struct {
-	AuthURL string
+	AuthURL      string
-	Code    string
+	CodeVerifier string
-	Tokens  *oidc.Tokens[*oidc.IDTokenClaims]
+	Code         string
+	Tokens       *oidc.Tokens[*oidc.IDTokenClaims]
 
 	Provider *Provider
 }
 
+func NewSession(provider *Provider, code string, idpArguments map[string]any) *Session {
+	verifier, _ := idpArguments[CodeVerifier].(string)
+	return &Session{Provider: provider, Code: code, CodeVerifier: verifier}
+}
+
 // GetAuth implements the [idp.Session] interface.
 func (s *Session) GetAuth(ctx context.Context) (string, bool) {
 	return idp.Redirect(s.AuthURL)
 }
 
+// PersistentParameters implements the [idp.Session] interface.
+func (s *Session) PersistentParameters() map[string]any {
+	if s.CodeVerifier == "" {
+		return nil
+	}
+	return map[string]any{CodeVerifier: s.CodeVerifier}
+}
+
 // FetchUser implements the [idp.Session] interface.
 // It will execute an OAuth 2.0 code exchange if needed to retrieve the access token,
 // call the specified userEndpoint and map the received information into an [idp.User].
@@ -55,7 +73,11 @@ func (s *Session) authorize(ctx context.Context) (err error) {
 	if s.Code == "" {
 		return ErrCodeMissing
 	}
-	s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty)
+	var opts []rp.CodeExchangeOpt
+	if s.CodeVerifier != "" {
+		opts = append(opts, rp.WithCodeVerifier(s.CodeVerifier))
+	}
+	s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty, opts...)
 
 	return err
 }

internal/idp/providers/oidc/oidc.go

@@ -24,6 +24,7 @@ type Provider struct {
 	useIDToken        bool
 	userInfoMapper    func(info *oidc.UserInfo) idp.User
 	authOptions       []func(bool) rp.AuthURLOpt
+	generateVerifier  func() string
 }
 
 type ProviderOpts func(provider *Provider)
@@ -102,8 +103,9 @@ var DefaultMapper UserInfoMapper = func(info *oidc.UserInfo) idp.User {
 // New creates a generic OIDC provider
 func New(name, issuer, clientID, clientSecret, redirectURI string, scopes []string, userInfoMapper UserInfoMapper, options ...ProviderOpts) (provider *Provider, err error) {
 	provider = &Provider{
-		name:           name,
+		name:             name,
-		userInfoMapper: userInfoMapper,
+		userInfoMapper:   userInfoMapper,
+		generateVerifier: oauth2.GenerateVerifier,
 	}
 	for _, option := range options {
 		option(provider)
@@ -150,8 +152,15 @@ func (p *Provider) BeginAuth(ctx context.Context, state string, params ...idp.Pa
 			opts = append(opts, opt)
 		}
 	}
+
+	var codeVerifier string
+	if p.RelyingParty.IsPKCE() {
+		codeVerifier = p.generateVerifier()
+		opts = append(opts, rp.WithCodeChallenge(oidc.NewSHACodeChallenge(codeVerifier)))
+	}
+
 	url := rp.AuthURL(state, p.RelyingParty, opts...)
-	return &Session{AuthURL: url, Provider: p}, nil
+	return &Session{AuthURL: url, Provider: p, CodeVerifier: codeVerifier}, nil
 }
 
 func loginHint(hint string) rp.AuthURLOpt {

internal/idp/providers/oidc/oidc_test.go

@@ -31,7 +31,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 		want   idp.Session
 	}{
 		{
-			name: "successful auth",
+			name: "successful auth without PKCE",
 			fields: fields{
 				name:         "oidc",
 				issuer:       "https://issuer.com",
@@ -55,6 +55,31 @@ func TestProvider_BeginAuth(t *testing.T) {
 			},
 			want: &Session{AuthURL: "https://issuer.com/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState"},
 		},
+		{
+			name: "successful auth with PKCE",
+			fields: fields{
+				name:         "oidc",
+				issuer:       "https://issuer.com",
+				clientID:     "clientID",
+				clientSecret: "clientSecret",
+				redirectURI:  "redirectURI",
+				scopes:       []string{"openid"},
+				userMapper:   DefaultMapper,
+				httpMock: func(issuer string) {
+					gock.New(issuer).
+						Get(oidc.DiscoveryEndpoint).
+						Reply(200).
+						JSON(&oidc.DiscoveryConfiguration{
+							Issuer:                issuer,
+							AuthorizationEndpoint: issuer + "/authorize",
+							TokenEndpoint:         issuer + "/token",
+							UserinfoEndpoint:      issuer + "/userinfo",
+						})
+				},
+				opts: []ProviderOpts{WithSelectAccount(), WithRelyingPartyOption(rp.WithPKCE(nil))},
+			},
+			want: &Session{AuthURL: "https://issuer.com/authorize?client_id=clientID&code_challenge=2ZoH_a01aprzLkwVbjlPsBo4m8mJ_zOKkaDqYM7Oh5w&code_challenge_method=S256&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -65,6 +90,9 @@ func TestProvider_BeginAuth(t *testing.T) {
 
 			provider, err := New(tt.fields.name, tt.fields.issuer, tt.fields.clientID, tt.fields.clientSecret, tt.fields.redirectURI, tt.fields.scopes, tt.fields.userMapper, tt.fields.opts...)
 			r.NoError(err)
+			provider.generateVerifier = func() string {
+				return "pkceOAuthVerifier"
+			}
 
 			ctx := context.Background()
 			session, err := provider.BeginAuth(ctx, "testState")

internal/idp/providers/oidc/session.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/idp"
+	"github.com/zitadel/zitadel/internal/idp/providers/oauth"
 )
 
 var ErrCodeMissing = errors.New("no auth code provided")
@@ -18,10 +19,16 @@ var _ idp.Session = (*Session)(nil)
 
 // Session is the [idp.Session] implementation for the OIDC provider.
 type Session struct {
-	Provider *Provider
+	Provider     *Provider
-	AuthURL  string
+	AuthURL      string
-	Code     string
+	CodeVerifier string
-	Tokens   *oidc.Tokens[*oidc.IDTokenClaims]
+	Code         string
+	Tokens       *oidc.Tokens[*oidc.IDTokenClaims]
+}
+
+func NewSession(provider *Provider, code string, idpArguments map[string]any) *Session {
+	verifier, _ := idpArguments[oauth.CodeVerifier].(string)
+	return &Session{Provider: provider, Code: code, CodeVerifier: verifier}
 }
 
 // GetAuth implements the [idp.Session] interface.
@@ -29,6 +36,14 @@ func (s *Session) GetAuth(ctx context.Context) (string, bool) {
 	return idp.Redirect(s.AuthURL)
 }
 
+// PersistentParameters implements the [idp.Session] interface.
+func (s *Session) PersistentParameters() map[string]any {
+	if s.CodeVerifier == "" {
+		return nil
+	}
+	return map[string]any{oauth.CodeVerifier: s.CodeVerifier}
+}
+
 // FetchUser implements the [idp.Session] interface.
 // It will execute an OIDC code exchange if needed to retrieve the tokens,
 // call the userinfo endpoint and map the received information into an [idp.User].
@@ -61,7 +76,11 @@ func (s *Session) Authorize(ctx context.Context) (err error) {
 	if s.Code == "" {
 		return ErrCodeMissing
 	}
-	s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty)
+	var opts []rp.CodeExchangeOpt
+	if s.CodeVerifier != "" {
+		opts = append(opts, rp.WithCodeVerifier(s.CodeVerifier))
+	}
+	s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty, opts...)
 	return err
 }
 

internal/idp/providers/saml/session.go

@@ -60,6 +60,11 @@ func (s *Session) GetAuth(ctx context.Context) (string, bool) {
 	return idp.Form(resp.content.String())
 }
 
+// PersistentParameters implements the [idp.Session] interface.
+func (s *Session) PersistentParameters() map[string]any {
+	return nil
+}
+
 // FetchUser implements the [idp.Session] interface.
 func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 	if s.RequestID == "" || s.Request == nil {

internal/idp/session.go

@@ -7,6 +7,7 @@ import (
 // Session is the minimal implementation for a session of a 3rd party authentication [Provider]
 type Session interface {
 	GetAuth(ctx context.Context) (content string, redirect bool)
+	PersistentParameters() map[string]any
 	FetchUser(ctx context.Context) (User, error)
 }
 

internal/integration/sink/server.go

@@ -327,7 +327,7 @@ func successfulIntentHandler(cmd *command.Commands, createIntent func(ctx contex
 }
 
 func createIntent(ctx context.Context, cmd *command.Commands, instanceID, idpID string) (string, error) {
-	writeModel, _, err := cmd.CreateIntent(ctx, idpID, "https://example.com/success", "https://example.com/failure", instanceID)
+	writeModel, _, err := cmd.CreateIntent(ctx, "", idpID, "https://example.com/success", "https://example.com/failure", instanceID, nil)
 	if err != nil {
 		return "", err
 	}

internal/query/idp_template.go

@@ -64,6 +64,7 @@ type OAuthIDPTemplate struct {
 	UserEndpoint          string
 	Scopes                database.TextArray[string]
 	IDAttribute           string
+	UsePKCE               bool
 }
 
 type OIDCIDPTemplate struct {
@@ -73,6 +74,7 @@ type OIDCIDPTemplate struct {
 	Issuer           string
 	Scopes           database.TextArray[string]
 	IsIDTokenMapping bool
+	UsePKCE          bool
 }
 
 type JWTIDPTemplate struct {
@@ -278,6 +280,10 @@ var (
 		name:  projection.OAuthIDAttributeCol,
 		table: oauthIdpTemplateTable,
 	}
+	OAuthUsePKCECol = Column{
+		name:  projection.OAuthUsePKCECol,
+		table: oauthIdpTemplateTable,
+	}
 )
 
 var (
@@ -313,6 +319,10 @@ var (
 		name:  projection.OIDCIDTokenMappingCol,
 		table: oidcIdpTemplateTable,
 	}
+	OIDCUsePKCECol = Column{
+		name:  projection.OIDCUsePKCECol,
+		table: oidcIdpTemplateTable,
+	}
 )
 
 var (
@@ -879,6 +889,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			OAuthUserEndpointCol.identifier(),
 			OAuthScopesCol.identifier(),
 			OAuthIDAttributeCol.identifier(),
+			OAuthUsePKCECol.identifier(),
 			// oidc
 			OIDCIDCol.identifier(),
 			OIDCIssuerCol.identifier(),
@@ -886,6 +897,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			OIDCClientSecretCol.identifier(),
 			OIDCScopesCol.identifier(),
 			OIDCIDTokenMappingCol.identifier(),
+			OIDCUsePKCECol.identifier(),
 			// jwt
 			JWTIDCol.identifier(),
 			JWTIssuerCol.identifier(),
@@ -996,6 +1008,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			oauthUserEndpoint := sql.NullString{}
 			oauthScopes := database.TextArray[string]{}
 			oauthIDAttribute := sql.NullString{}
+			oauthUserPKCE := sql.NullBool{}
 
 			oidcID := sql.NullString{}
 			oidcIssuer := sql.NullString{}
@@ -1003,6 +1016,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			oidcClientSecret := new(crypto.CryptoValue)
 			oidcScopes := database.TextArray[string]{}
 			oidcIDTokenMapping := sql.NullBool{}
+			oidcUserPKCE := sql.NullBool{}
 
 			jwtID := sql.NullString{}
 			jwtIssuer := sql.NullString{}
@@ -1111,6 +1125,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 				&oauthUserEndpoint,
 				&oauthScopes,
 				&oauthIDAttribute,
+				&oauthUserPKCE,
 				// oidc
 				&oidcID,
 				&oidcIssuer,
@@ -1118,6 +1133,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 				&oidcClientSecret,
 				&oidcScopes,
 				&oidcIDTokenMapping,
+				&oidcUserPKCE,
 				// jwt
 				&jwtID,
 				&jwtIssuer,
@@ -1221,6 +1237,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 					UserEndpoint:          oauthUserEndpoint.String,
 					Scopes:                oauthScopes,
 					IDAttribute:           oauthIDAttribute.String,
+					UsePKCE:               oauthUserPKCE.Bool,
 				}
 			}
 			if oidcID.Valid {
@@ -1231,6 +1248,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 					Issuer:           oidcIssuer.String,
 					Scopes:           oidcScopes,
 					IsIDTokenMapping: oidcIDTokenMapping.Bool,
+					UsePKCE:          oidcUserPKCE.Bool,
 				}
 			}
 			if jwtID.Valid {
@@ -1378,6 +1396,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 			OAuthUserEndpointCol.identifier(),
 			OAuthScopesCol.identifier(),
 			OAuthIDAttributeCol.identifier(),
+			OAuthUsePKCECol.identifier(),
 			// oidc
 			OIDCIDCol.identifier(),
 			OIDCIssuerCol.identifier(),
@@ -1385,6 +1404,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 			OIDCClientSecretCol.identifier(),
 			OIDCScopesCol.identifier(),
 			OIDCIDTokenMappingCol.identifier(),
+			OIDCUsePKCECol.identifier(),
 			// jwt
 			JWTIDCol.identifier(),
 			JWTIssuerCol.identifier(),
@@ -1500,6 +1520,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 				oauthUserEndpoint := sql.NullString{}
 				oauthScopes := database.TextArray[string]{}
 				oauthIDAttribute := sql.NullString{}
+				oauthUserPKCE := sql.NullBool{}
 
 				oidcID := sql.NullString{}
 				oidcIssuer := sql.NullString{}
@@ -1507,6 +1528,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 				oidcClientSecret := new(crypto.CryptoValue)
 				oidcScopes := database.TextArray[string]{}
 				oidcIDTokenMapping := sql.NullBool{}
+				oidcUserPKCE := sql.NullBool{}
 
 				jwtID := sql.NullString{}
 				jwtIssuer := sql.NullString{}
@@ -1615,6 +1637,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 					&oauthUserEndpoint,
 					&oauthScopes,
 					&oauthIDAttribute,
+					&oauthUserPKCE,
 					// oidc
 					&oidcID,
 					&oidcIssuer,
@@ -1622,6 +1645,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 					&oidcClientSecret,
 					&oidcScopes,
 					&oidcIDTokenMapping,
+					&oidcUserPKCE,
 					// jwt
 					&jwtID,
 					&jwtIssuer,
@@ -1724,6 +1748,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 						UserEndpoint:          oauthUserEndpoint.String,
 						Scopes:                oauthScopes,
 						IDAttribute:           oauthIDAttribute.String,
+						UsePKCE:               oauthUserPKCE.Bool,
 					}
 				}
 				if oidcID.Valid {
@@ -1734,6 +1759,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 						Issuer:           oidcIssuer.String,
 						Scopes:           oidcScopes,
 						IsIDTokenMapping: oidcIDTokenMapping.Bool,
+						UsePKCE:          oidcUserPKCE.Bool,
 					}
 				}
 				if jwtID.Valid {

internal/query/idp_template_test.go

@@ -39,6 +39,7 @@ var (
 		` projections.idp_templates6_oauth2.user_endpoint,` +
 		` projections.idp_templates6_oauth2.scopes,` +
 		` projections.idp_templates6_oauth2.id_attribute,` +
+		` projections.idp_templates6_oauth2.use_pkce,` +
 		// oidc
 		` projections.idp_templates6_oidc.idp_id,` +
 		` projections.idp_templates6_oidc.issuer,` +
@@ -46,6 +47,7 @@ var (
 		` projections.idp_templates6_oidc.client_secret,` +
 		` projections.idp_templates6_oidc.scopes,` +
 		` projections.idp_templates6_oidc.id_token_mapping,` +
+		` projections.idp_templates6_oidc.use_pkce,` +
 		// jwt
 		` projections.idp_templates6_jwt.idp_id,` +
 		` projections.idp_templates6_jwt.issuer,` +
@@ -167,6 +169,7 @@ var (
 		"user_endpoint",
 		"scopes",
 		"id_attribute",
+		"use_pkce",
 		// oidc config
 		"id_id",
 		"issuer",
@@ -174,6 +177,7 @@ var (
 		"client_secret",
 		"scopes",
 		"id_token_mapping",
+		"use_pkce",
 		// jwt
 		"idp_id",
 		"issuer",
@@ -281,6 +285,7 @@ var (
 		` projections.idp_templates6_oauth2.user_endpoint,` +
 		` projections.idp_templates6_oauth2.scopes,` +
 		` projections.idp_templates6_oauth2.id_attribute,` +
+		` projections.idp_templates6_oauth2.use_pkce,` +
 		// oidc
 		` projections.idp_templates6_oidc.idp_id,` +
 		` projections.idp_templates6_oidc.issuer,` +
@@ -288,6 +293,7 @@ var (
 		` projections.idp_templates6_oidc.client_secret,` +
 		` projections.idp_templates6_oidc.scopes,` +
 		` projections.idp_templates6_oidc.id_token_mapping,` +
+		` projections.idp_templates6_oidc.use_pkce,` +
 		// jwt
 		` projections.idp_templates6_jwt.idp_id,` +
 		` projections.idp_templates6_jwt.issuer,` +
@@ -410,6 +416,7 @@ var (
 		"user_endpoint",
 		"scopes",
 		"id_attribute",
+		"use_pkce",
 		// oidc config
 		"id_id",
 		"issuer",
@@ -417,6 +424,7 @@ var (
 		"client_secret",
 		"scopes",
 		"id_token_mapping",
+		"use_pkce",
 		// jwt
 		"idp_id",
 		"issuer",
@@ -564,6 +572,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						"user",
 						database.TextArray[string]{"profile"},
 						"id-attribute",
+						true,
 						// oidc
 						nil,
 						nil,
@@ -571,6 +580,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -681,6 +691,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 					UserEndpoint:          "user",
 					Scopes:                []string{"profile"},
 					IDAttribute:           "id-attribute",
+					UsePKCE:               true,
 				},
 			},
 		},
@@ -715,6 +726,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						"idp-id",
 						"issuer",
@@ -722,6 +734,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						database.TextArray[string]{"profile"},
 						true,
+						true,
 						// jwt
 						nil,
 						nil,
@@ -830,6 +843,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 					ClientSecret:     nil,
 					Scopes:           []string{"profile"},
 					IsIDTokenMapping: true,
+					UsePKCE:          true,
 				},
 			},
 		},
@@ -864,6 +878,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -871,6 +886,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						"idp-id",
 						"issuer",
@@ -1012,6 +1028,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -1019,6 +1036,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -1159,6 +1177,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -1166,6 +1185,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -1306,6 +1326,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -1313,6 +1334,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -1454,6 +1476,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -1461,6 +1484,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -1601,6 +1625,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -1608,6 +1633,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -1752,6 +1778,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -1759,6 +1786,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -1920,6 +1948,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -1927,6 +1956,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -2069,6 +2099,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// oidc
 						nil,
 						nil,
@@ -2076,6 +2107,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// jwt
 						nil,
 						nil,
@@ -2246,6 +2278,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// oidc
 							nil,
 							nil,
@@ -2253,6 +2286,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// jwt
 							nil,
 							nil,
@@ -2423,6 +2457,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// oidc
 							nil,
 							nil,
@@ -2430,6 +2465,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// jwt
 							nil,
 							nil,
@@ -2573,6 +2609,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// oidc
 							nil,
 							nil,
@@ -2580,6 +2617,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// jwt
 							nil,
 							nil,
@@ -2688,6 +2726,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// oidc
 							nil,
 							nil,
@@ -2695,6 +2734,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// jwt
 							nil,
 							nil,
@@ -2803,6 +2843,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// oidc
 							nil,
 							nil,
@@ -2810,6 +2851,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// jwt
 							nil,
 							nil,
@@ -2918,6 +2960,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							"user",
 							database.TextArray[string]{"profile"},
 							"id-attribute",
+							true,
 							// oidc
 							nil,
 							nil,
@@ -2925,6 +2968,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// jwt
 							nil,
 							nil,
@@ -3033,6 +3077,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// oidc
 							"idp-id-oidc",
 							"issuer",
@@ -3040,6 +3085,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							database.TextArray[string]{"profile"},
 							true,
+							true,
 							// jwt
 							nil,
 							nil,
@@ -3148,6 +3194,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// oidc
 							nil,
 							nil,
@@ -3155,6 +3202,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// jwt
 							"idp-id-jwt",
 							"issuer",
@@ -3363,6 +3411,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							UserEndpoint:          "user",
 							Scopes:                []string{"profile"},
 							IDAttribute:           "id-attribute",
+							UsePKCE:               true,
 						},
 					},
 					{
@@ -3387,6 +3436,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							ClientSecret:     nil,
 							Scopes:           []string{"profile"},
 							IsIDTokenMapping: true,
+							UsePKCE:          true,
 						},
 					},
 					{

internal/query/projection/idp_template.go

@@ -70,6 +70,7 @@ const (
 	OAuthUserEndpointCol          = "user_endpoint"
 	OAuthScopesCol                = "scopes"
 	OAuthIDAttributeCol           = "id_attribute"
+	OAuthUsePKCECol               = "use_pkce"
 
 	OIDCIDCol             = "idp_id"
 	OIDCInstanceIDCol     = "instance_id"
@@ -78,6 +79,7 @@ const (
 	OIDCClientSecretCol   = "client_secret"
 	OIDCScopesCol         = "scopes"
 	OIDCIDTokenMappingCol = "id_token_mapping"
+	OIDCUsePKCECol        = "use_pkce"
 
 	JWTIDCol           = "idp_id"
 	JWTInstanceIDCol   = "instance_id"
@@ -217,6 +219,7 @@ func (*idpTemplateProjection) Init() *old_handler.Check {
 			handler.NewColumn(OAuthUserEndpointCol, handler.ColumnTypeText),
 			handler.NewColumn(OAuthScopesCol, handler.ColumnTypeTextArray, handler.Nullable()),
 			handler.NewColumn(OAuthIDAttributeCol, handler.ColumnTypeText),
+			handler.NewColumn(OAuthUsePKCECol, handler.ColumnTypeBool, handler.Default(false)),
 		},
 			handler.NewPrimaryKey(OAuthInstanceIDCol, OAuthIDCol),
 			IDPTemplateOAuthSuffix,
@@ -230,6 +233,7 @@ func (*idpTemplateProjection) Init() *old_handler.Check {
 			handler.NewColumn(OIDCClientSecretCol, handler.ColumnTypeJSONB),
 			handler.NewColumn(OIDCScopesCol, handler.ColumnTypeTextArray, handler.Nullable()),
 			handler.NewColumn(OIDCIDTokenMappingCol, handler.ColumnTypeBool, handler.Default(false)),
+			handler.NewColumn(OIDCUsePKCECol, handler.ColumnTypeBool, handler.Default(false)),
 		},
 			handler.NewPrimaryKey(OIDCInstanceIDCol, OIDCIDCol),
 			IDPTemplateOIDCSuffix,
@@ -722,6 +726,7 @@ func (p *idpTemplateProjection) reduceOAuthIDPAdded(event eventstore.Event) (*ha
 				handler.NewCol(OAuthUserEndpointCol, idpEvent.UserEndpoint),
 				handler.NewCol(OAuthScopesCol, database.TextArray[string](idpEvent.Scopes)),
 				handler.NewCol(OAuthIDAttributeCol, idpEvent.IDAttribute),
+				handler.NewCol(OAuthUsePKCECol, idpEvent.UsePKCE),
 			},
 			handler.WithTableSuffix(IDPTemplateOAuthSuffix),
 		),
@@ -813,6 +818,7 @@ func (p *idpTemplateProjection) reduceOIDCIDPAdded(event eventstore.Event) (*han
 				handler.NewCol(OIDCClientSecretCol, idpEvent.ClientSecret),
 				handler.NewCol(OIDCScopesCol, database.TextArray[string](idpEvent.Scopes)),
 				handler.NewCol(OIDCIDTokenMappingCol, idpEvent.IsIDTokenMapping),
+				handler.NewCol(OIDCUsePKCECol, idpEvent.UsePKCE),
 			},
 			handler.WithTableSuffix(IDPTemplateOIDCSuffix),
 		),
@@ -1154,6 +1160,7 @@ func (p *idpTemplateProjection) reduceOldOIDCConfigAdded(event eventstore.Event)
 				handler.NewCol(OIDCClientSecretCol, idpEvent.ClientSecret),
 				handler.NewCol(OIDCScopesCol, database.TextArray[string](idpEvent.Scopes)),
 				handler.NewCol(OIDCIDTokenMappingCol, true),
+				handler.NewCol(OIDCUsePKCECol, false),
 			},
 			handler.WithTableSuffix(IDPTemplateOIDCSuffix),
 		),
@@ -2253,6 +2260,9 @@ func reduceOAuthIDPChangedColumns(idpEvent idp.OAuthIDPChangedEvent) []handler.C
 	if idpEvent.IDAttribute != nil {
 		oauthCols = append(oauthCols, handler.NewCol(OAuthIDAttributeCol, *idpEvent.IDAttribute))
 	}
+	if idpEvent.UsePKCE != nil {
+		oauthCols = append(oauthCols, handler.NewCol(OAuthUsePKCECol, *idpEvent.UsePKCE))
+	}
 	return oauthCols
 }
 
@@ -2273,6 +2283,9 @@ func reduceOIDCIDPChangedColumns(idpEvent idp.OIDCIDPChangedEvent) []handler.Col
 	if idpEvent.IsIDTokenMapping != nil {
 		oidcCols = append(oidcCols, handler.NewCol(OIDCIDTokenMappingCol, *idpEvent.IsIDTokenMapping))
 	}
+	if idpEvent.UsePKCE != nil {
+		oidcCols = append(oidcCols, handler.NewCol(OIDCUsePKCECol, *idpEvent.UsePKCE))
+	}
 	return oidcCols
 }
 

internal/query/projection/idp_template_test.go

@@ -192,6 +192,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
  	"userEndpoint": "user",
 	"scopes": ["profile"],
 	"idAttribute": "id-attribute",
+	"usePKCE": false,
 	"isCreationAllowed": true,
 	"isLinkingAllowed": true,
 	"isAutoCreation": true,
@@ -227,7 +228,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"idp-id",
 								"instance-id",
@@ -238,6 +239,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
 								"user",
 								database.TextArray[string]{"profile"},
 								"id-attribute",
+								false,
 							},
 						},
 					},
@@ -265,6 +267,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
  	"userEndpoint": "user",
 	"scopes": ["profile"],
 	"idAttribute": "id-attribute",
+	"usePKCE": true,
 	"isCreationAllowed": true,
 	"isLinkingAllowed": true,
 	"isAutoCreation": true,
@@ -300,7 +303,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"idp-id",
 								"instance-id",
@@ -311,6 +314,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
 								"user",
 								database.TextArray[string]{"profile"},
 								"id-attribute",
+								true,
 							},
 						},
 					},
@@ -380,6 +384,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
  	"userEndpoint": "user",
 	"scopes": ["profile"],
 	"idAttribute": "id-attribute",
+	"usePKCE": true,
 	"isCreationAllowed": true,
 	"isLinkingAllowed": true,
 	"isAutoCreation": true,
@@ -410,7 +415,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.idp_templates6_oauth2 SET (client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) = ($1, $2, $3, $4, $5, $6, $7) WHERE (idp_id = $8) AND (instance_id = $9)",
+							expectedStmt: "UPDATE projections.idp_templates6_oauth2 SET (client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute, use_pkce) = ($1, $2, $3, $4, $5, $6, $7, $8) WHERE (idp_id = $9) AND (instance_id = $10)",
 							expectedArgs: []interface{}{
 								"client_id",
 								anyArg{},
@@ -419,6 +424,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
 								"user",
 								database.TextArray[string]{"profile"},
 								"id-attribute",
+								true,
 								"idp-id",
 								"instance-id",
 							},
@@ -3081,6 +3087,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
     },
 	"scopes": ["profile"],
 	"idTokenMapping": true,
+	"usePKCE": true,
 	"isCreationAllowed": true,
 	"isLinkingAllowed": true,
 	"isAutoCreation": true,
@@ -3116,7 +3123,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
+							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
 							expectedArgs: []interface{}{
 								"idp-id",
 								"instance-id",
@@ -3125,6 +3132,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
 								anyArg{},
 								database.TextArray[string]{"profile"},
 								true,
+								true,
 							},
 						},
 					},
@@ -3149,6 +3157,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
     },
 	"scopes": ["profile"],
 	"idTokenMapping": true,
+	"usePKCE": true,
 	"isCreationAllowed": true,
 	"isLinkingAllowed": true,
 	"isAutoCreation": true,
@@ -3184,7 +3193,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
+							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
 							expectedArgs: []interface{}{
 								"idp-id",
 								"instance-id",
@@ -3193,6 +3202,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
 								anyArg{},
 								database.TextArray[string]{"profile"},
 								true,
+								true,
 							},
 						},
 					},
@@ -3260,6 +3270,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
     },
 	"scopes": ["profile"],
 	"idTokenMapping": true,
+	"usePKCE": true,
 	"isCreationAllowed": true,
 	"isLinkingAllowed": true,
 	"isAutoCreation": true,
@@ -3290,13 +3301,14 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.idp_templates6_oidc SET (client_id, client_secret, issuer, scopes, id_token_mapping) = ($1, $2, $3, $4, $5) WHERE (idp_id = $6) AND (instance_id = $7)",
+							expectedStmt: "UPDATE projections.idp_templates6_oidc SET (client_id, client_secret, issuer, scopes, id_token_mapping, use_pkce) = ($1, $2, $3, $4, $5, $6) WHERE (idp_id = $7) AND (instance_id = $8)",
 							expectedArgs: []interface{}{
 								"client_id",
 								anyArg{},
 								"issuer",
 								database.TextArray[string]{"profile"},
 								true,
+								true,
 								"idp-id",
 								"instance-id",
 							},
@@ -3810,7 +3822,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
+							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
 							expectedArgs: []interface{}{
 								"idp-config-id",
 								"instance-id",
@@ -3819,6 +3831,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
 								anyArg{},
 								database.TextArray[string]{"profile"},
 								true,
+								false,
 							},
 						},
 					},
@@ -3864,7 +3877,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
+							expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
 							expectedArgs: []interface{}{
 								"idp-config-id",
 								"instance-id",
@@ -3873,6 +3886,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
 								anyArg{},
 								database.TextArray[string]{"profile"},
 								true,
+								false,
 							},
 						},
 					},

internal/repository/idp/oauth.go

@@ -18,6 +18,7 @@ type OAuthIDPAddedEvent struct {
 	UserEndpoint          string              `json:"userEndpoint,omitempty"`
 	Scopes                []string            `json:"scopes,omitempty"`
 	IDAttribute           string              `json:"idAttribute,omitempty"`
+	UsePKCE               bool                `json:"usePKCE,omitempty"`
 	Options
 }
 
@@ -32,6 +33,7 @@ func NewOAuthIDPAddedEvent(
 	userEndpoint,
 	idAttribute string,
 	scopes []string,
+	usePKCE bool,
 	options Options,
 ) *OAuthIDPAddedEvent {
 	return &OAuthIDPAddedEvent{
@@ -45,6 +47,7 @@ func NewOAuthIDPAddedEvent(
 		UserEndpoint:          userEndpoint,
 		Scopes:                scopes,
 		IDAttribute:           idAttribute,
+		UsePKCE:               usePKCE,
 		Options:               options,
 	}
 }
@@ -82,6 +85,7 @@ type OAuthIDPChangedEvent struct {
 	UserEndpoint          *string             `json:"userEndpoint,omitempty"`
 	Scopes                []string            `json:"scopes,omitempty"`
 	IDAttribute           *string             `json:"idAttribute,omitempty"`
+	UsePKCE               *bool               `json:"usePKCE,omitempty"`
 	OptionChanges
 }
 
@@ -158,6 +162,12 @@ func ChangeOAuthIDAttribute(idAttribute string) func(*OAuthIDPChangedEvent) {
 	}
 }
 
+func ChangeOAuthUsePKCE(usePKCE bool) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.UsePKCE = &usePKCE
+	}
+}
+
 func (e *OAuthIDPChangedEvent) Payload() interface{} {
 	return e
 }

internal/repository/idp/oidc.go

@@ -16,6 +16,7 @@ type OIDCIDPAddedEvent struct {
 	ClientSecret     *crypto.CryptoValue `json:"clientSecret"`
 	Scopes           []string            `json:"scopes,omitempty"`
 	IsIDTokenMapping bool                `json:"idTokenMapping,omitempty"`
+	UsePKCE          bool                `json:"usePKCE,omitempty"`
 	Options
 }
 
@@ -27,7 +28,7 @@ func NewOIDCIDPAddedEvent(
 	clientID string,
 	clientSecret *crypto.CryptoValue,
 	scopes []string,
-	isIDTokenMapping bool,
+	isIDTokenMapping, usePKCE bool,
 	options Options,
 ) *OIDCIDPAddedEvent {
 	return &OIDCIDPAddedEvent{
@@ -39,6 +40,7 @@ func NewOIDCIDPAddedEvent(
 		ClientSecret:     clientSecret,
 		Scopes:           scopes,
 		IsIDTokenMapping: isIDTokenMapping,
+		UsePKCE:          usePKCE,
 		Options:          options,
 	}
 }
@@ -74,6 +76,7 @@ type OIDCIDPChangedEvent struct {
 	ClientSecret     *crypto.CryptoValue `json:"clientSecret,omitempty"`
 	Scopes           []string            `json:"scopes,omitempty"`
 	IsIDTokenMapping *bool               `json:"idTokenMapping,omitempty"`
+	UsePKCE          *bool               `json:"usePKCE,omitempty"`
 	OptionChanges
 }
 
@@ -139,6 +142,12 @@ func ChangeOIDCIsIDTokenMapping(idTokenMapping bool) func(*OIDCIDPChangedEvent)
 	}
 }
 
+func ChangeOIDCUsePKCE(usePKCE bool) func(*OIDCIDPChangedEvent) {
+	return func(e *OIDCIDPChangedEvent) {
+		e.UsePKCE = &usePKCE
+	}
+}
+
 func (e *OIDCIDPChangedEvent) Payload() interface{} {
 	return e
 }

internal/repository/idpintent/intent.go

@@ -21,9 +21,10 @@ const (
 type StartedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	SuccessURL *url.URL `json:"successURL"`
+	SuccessURL   *url.URL       `json:"successURL"`
-	FailureURL *url.URL `json:"failureURL"`
+	FailureURL   *url.URL       `json:"failureURL"`
-	IDPID      string   `json:"idpId"`
+	IDPID        string         `json:"idpId"`
+	IDPArguments map[string]any `json:"idpArguments,omitempty"`
 }
 
 func NewStartedEvent(
@@ -32,6 +33,7 @@ func NewStartedEvent(
 	successURL,
 	failureURL *url.URL,
 	idpID string,
+	idpArguments map[string]any,
 ) *StartedEvent {
 	return &StartedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -39,9 +41,10 @@ func NewStartedEvent(
 			aggregate,
 			StartedEventType,
 		),
-		SuccessURL: successURL,
+		SuccessURL:   successURL,
-		FailureURL: failureURL,
+		FailureURL:   failureURL,
-		IDPID:      idpID,
+		IDPID:        idpID,
+		IDPArguments: idpArguments,
 	}
 }
 

internal/repository/instance/idp.go

@@ -56,6 +56,7 @@ func NewOAuthIDPAddedEvent(
 	userEndpoint,
 	idAttribute string,
 	scopes []string,
+	usePKCE bool,
 	options idp.Options,
 ) *OAuthIDPAddedEvent {
 
@@ -75,6 +76,7 @@ func NewOAuthIDPAddedEvent(
 			userEndpoint,
 			idAttribute,
 			scopes,
+			usePKCE,
 			options,
 		),
 	}
@@ -137,7 +139,7 @@ func NewOIDCIDPAddedEvent(
 	clientID string,
 	clientSecret *crypto.CryptoValue,
 	scopes []string,
-	isIDTokenMapping bool,
+	isIDTokenMapping, usePKCE bool,
 	options idp.Options,
 ) *OIDCIDPAddedEvent {
 
@@ -155,6 +157,7 @@ func NewOIDCIDPAddedEvent(
 			clientSecret,
 			scopes,
 			isIDTokenMapping,
+			usePKCE,
 			options,
 		),
 	}

internal/repository/org/idp.go

@@ -56,6 +56,7 @@ func NewOAuthIDPAddedEvent(
 	userEndpoint,
 	idAttribute string,
 	scopes []string,
+	usePKCE bool,
 	options idp.Options,
 ) *OAuthIDPAddedEvent {
 
@@ -75,6 +76,7 @@ func NewOAuthIDPAddedEvent(
 			userEndpoint,
 			idAttribute,
 			scopes,
+			usePKCE,
 			options,
 		),
 	}
@@ -137,7 +139,7 @@ func NewOIDCIDPAddedEvent(
 	clientID string,
 	clientSecret *crypto.CryptoValue,
 	scopes []string,
-	isIDTokenMapping bool,
+	isIDTokenMapping, usePKCE bool,
 	options idp.Options,
 ) *OIDCIDPAddedEvent {
 
@@ -155,6 +157,7 @@ func NewOIDCIDPAddedEvent(
 			clientSecret,
 			scopes,
 			isIDTokenMapping,
+			usePKCE,
 			options,
 		),
 	}

proto/zitadel/admin.proto

@@ -6124,6 +6124,8 @@ message AddGenericOAuthProviderRequest {
         }
     ];
     zitadel.idp.v1.Options provider_options = 9;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
+    bool use_pkce = 10;
 }
 
 message AddGenericOAuthProviderResponse {
@@ -6191,6 +6193,8 @@ message UpdateGenericOAuthProviderRequest {
         }
     ];
     zitadel.idp.v1.Options provider_options = 10;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
+    bool use_pkce = 11;
 }
 
 message UpdateGenericOAuthProviderResponse {
@@ -6234,6 +6238,8 @@ message AddGenericOIDCProviderRequest {
     ];
     zitadel.idp.v1.Options provider_options = 6;
     bool is_id_token_mapping = 7;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
+    bool use_pkce = 8;
 }
 
 message AddGenericOIDCProviderResponse {
@@ -6285,6 +6291,8 @@ message UpdateGenericOIDCProviderRequest {
     ];
     zitadel.idp.v1.Options provider_options = 7;
     bool is_id_token_mapping = 8;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
+    bool use_pkce = 9;
 }
 
 message UpdateGenericOIDCProviderResponse {

proto/zitadel/idp.proto

@@ -338,6 +338,8 @@ message OAuthConfig {
             description: "defines how the attribute is called where ZITADEL can get the id of the user";
         }
     ];
+    // Defines if the Proof Key for Code Exchange (PKCE) is used for the authorization code flow.
+    bool use_pkce = 7;
 }
 
 message GenericOIDCConfig {
@@ -365,6 +367,12 @@ message GenericOIDCConfig {
             description: "if true, provider information get mapped from the id token, not from the userinfo endpoint";
         }
     ];
+    // Defines if the Proof Key for Code Exchange (PKCE) is used for the authorization code flow.
+    bool use_pkce = 5 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "true";
+        }
+    ];
 }
 
 message GitHubConfig {

proto/zitadel/management.proto

@@ -12545,6 +12545,8 @@ message AddGenericOAuthProviderRequest {
         }
     ];
     zitadel.idp.v1.Options provider_options = 9;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
+    bool use_pkce = 10;
 }
 
 message AddGenericOAuthProviderResponse {
@@ -12612,6 +12614,8 @@ message UpdateGenericOAuthProviderRequest {
         }
     ];
     zitadel.idp.v1.Options provider_options = 10;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
+    bool use_pkce = 11;
 }
 
 message UpdateGenericOAuthProviderResponse {
@@ -12655,6 +12659,8 @@ message AddGenericOIDCProviderRequest {
     ];
     zitadel.idp.v1.Options provider_options = 6;
     bool is_id_token_mapping = 7;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
+    bool use_pkce = 8;
 }
 
 message AddGenericOIDCProviderResponse {
@@ -12706,6 +12712,8 @@ message UpdateGenericOIDCProviderRequest {
     ];
     zitadel.idp.v1.Options provider_options = 7;
     bool is_id_token_mapping = 8;
+    // Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
+    bool use_pkce = 9;
 }
 
 message UpdateGenericOIDCProviderResponse {