Headless Authorization Code + PKCE Support?

[vecchp]

I'm currently using dj-rest-auth and django-rest-social-auth for two separate projects that utilize the authorization code flow with PKCE rather than the implicit flow.

I am considering migrating from these libraries to the recently released headless API. In the documentation I noticed the presence of a token flow (which appears to be the implicit grant) and a redirect flow (which does not seem suitable for the Authorization Code + PKCE workflow).

Could you clarify if the authorization code flow with PKCE is currently supported or if there are plans to implement it in the future? Additionally, if there is support, could you provide guidance on its usage?

[pennersr]

The headless functionality is not to be mistaken for what OAuth is trying to accomplish, so no -- that is currently not supported. Having an allauth.idp would be interesting though. But, OAuth/OIDC is a protocol that allows you as a user to use your identity stored at an Identity Provider to access one or more relying parties. OAuth has nothing defined for changing your password, activating MFA, signing up and so on... it is this part that allauth.headless covers, so basically all the functionality within the IdP.