Add PKCE method to OIDC auth providers

[rak-phillip]

Summary

This adds a new PKCE method input to the OIDC auth provider configuration.

Fixes #15637

Occurred changes and/or fixed issues

• Add a new input for PKCE method
• Reorders the OIDC form so that Endpoints and PKCE are rendered before scopes

Technical notes summary

The PKCE method is being added to OIDC providers in rancher/rancher#53285. This PR addresses the UI portion for the new field.

During reviews of the form, we decided that the sections should be reordered to better emphasize importance for configuration.

Areas or cases that should be tested

OIDC configuration:

• Amazon Cognito
• Generic
• Keycloak

Areas which could experience regressions

This change is low risk. Configuration should still work in scenarios where the new option is not supported.

Screenshot/Video

Before

After

Checklist

• The PR is linked to an issue and the linked issue has a Milestone, or no issue is needed
• The PR has a Milestone
• The PR template has been filled out
• The PR has been self reviewed
• The PR has a reviewer assigned
• The PR has automated tests or clear instructions for manual tests and the linked issue has appropriate QA labels, or tests are not needed
• The PR has reviewed with UX and tested in light and dark mode, or there are no UX changes
• The PR has been reviewed in terms of Accessibility
• The PR has considered, and if applicable tested with, the three Global Roles Admin, Standard User and User Base

[aalves08]

Ok, spent quite a bit of time trying this and provisioning a new backend until I realised the backend PR is still a draft 🤦

Overall, LGTM. No red flags codewise. Would be nice to test it with the backend though... Let me know how you want to proceed.

FYI, I can't test keycloak OIDC anymore. My setup needs me to have an ngrok domain and we've hit the limit o max domains created for the whole ngrok account, so 🤷

[bigkevmcd]

@rak-phillip After security review, and some discussion we're going to drop support the plain option.

[aalves08]

With the image you told me to use bigkevmcd/rancher:v2.14-29d9b6212-head, the feature doesn't work:

Screen.Recording.2026-01-27.at.11.24.22.mov

[bigkevmcd]

With the image you told me to use bigkevmcd/rancher:v2.14-29d9b6212-head, the feature doesn't work:
Screen.Recording.2026-01-27.at.11.24.22.mov

We dropped support for plain, but the field is still a string and not a boolean.

Can we keep it as a string so that it's future-proofed against different PKCE verification algorithms (or the possible return of plain in the event that a customer needs it).

[rak-phillip]

We dropped support for plain, but the field is still a string and not a boolean.

Can we keep it as a string so that it's future-proofed against different PKCE verification algorithms (or the possible return of plain in the event that a customer needs it).

@bigkevmcd the value is a string, the checkbox is there to act as a toggle for the feature. See

• https://github.com/rak-phillip/dashboard/blob/bb34474d7b78acbab9e3ce725aa565387d7cf9a6/shell/edit/auth/oidc.vue#L21
• https://github.com/rak-phillip/dashboard/blob/bb34474d7b78acbab9e3ce725aa565387d7cf9a6/shell/edit/auth/oidc.vue#L448

@aalves08 I'll try to gather some more info to see why it might be failing

[rak-phillip]

@aalves08 the PKCE_S256 wasn't exposed to the template, fixing this should resolve the checkbox treating the value as a boolean. Can you try again?

[bigkevmcd]

I can also build a newer image...that is from a few weeks ago?

[rak-phillip]

I can also build a newer image...that is from a few weeks ago?

@bigkevmcd yeah, that's the original image from when we first synced.

[aalves08]

Testing with bigkevmcd/rancher:v2.14-29d9b6212-head

Still not working @rak-phillip ... When we do the action=configureTest the payload is sent correctly. Same for action=testAndApply but the returning cognito network requests from the server return with null.

Similar output with Keycloak.

Other topic, should we surface the PCKE information here, if it's active?

[rak-phillip]

Testing with bigkevmcd/rancher:v2.14-29d9b6212-head

Still not working @rak-phillip ... When we do the action=configureTest the payload is sent correctly. Same for action=testAndApply but the returning cognito network requests from the server return with null.

@aalves08 thanks for testing again - we have a new image that we can use to verify bigkevmcd/rancher:v2.14-776aa72c4-head. I'll see if I can repro the same behavior with this.

Other topic, should we surface the PCKE information here, if it's active?

That's a good point. I think we can add it.

[aalves08]

With the new image provided I could verify that both on Amazon Cognito and Keycloak everything works fine. User can enable and disable PCKE and the value persists. SLO feature also works fine.

Small change needed (missing translation key):

Otherwise we are good to go

[aalves08]

All fixed! LGTM ✅