PKCE support for Forge auth provider

Hi team,

I have one provider that supports PKCE which requires code_challenge and code_verifier parameters. But the Forge auth provider doesn’t support the two parameters. Is there anything I can do about it?



Welcome to the Atlassian developer community @WilliamGuo,

No. The Forge external auth feature only supports the authorization code flow right now. I would recommend getting PKCE flow logged as a suggestion so you, and others who might stumble upon this thread, would have something formal to track. Could you please open a “suggestion” issue yourself in our open Jira (JAC) in the ECO project. It would help the issue if you provided more details like a link to the PKCE flow RFC and the detail of which service uses that flow. Once you have the issue key, please let us know here so other folks can watch, vote, and comment.

@ibuchanan @WilliamGuo Some OAuth2 providers will only approve your app for distribution if it supports PKCE.

Having recently implemented it from scratch elsewhere, I can tell you that it’s not that hard and would really open up the Forge external auth feature to some major providers.


+1 @david,

Generally, I can see that Forge product management understands that authorization code flow is enough in FRGE-729. But, I think there’s a nuance represented in this thread that is missing from our acknowledged gap about supporting “asApp”. Specifically, you have reasons for preferring PKCE to client credentials flow (which I opened and was closed in favor of the more general “asApp” issue). The more data you help bring about PKCE, the better we can prioritize. Hence, the ask for a suggestion report.

@david, with your experience, maybe your suggestion report would be richer for the product management team?


Happy for @david to raise the suggestion.