Improve the documentation/implementation for custom oauth2 provider (here kanidm) if possible

[bulo3jq]

I tried to use kanidm with komga and encountered some issues/confusion. The issues are partly the same as discussed some time ago in #1507.

First I stumbled a bit as I followed the komga documentation for custom oauth2 providers. It says that PKCE can only be activated with client-authentication-method: none. But this means that komga acts as a public client (see 1 or 2). And the configured basic-secret is not used/required anymore. (In kanidm these clients must be configured differently, since a client with a secret is preferred).
According to this issue even private clients can now enable PKCE: spring-projects/spring-security#16382. At least in this issue they added a new configuration key requireProofKey to enable PKCE, even with client-authentication-method not set to none. I tried setting this in the application.yml, but this did not fix the problem.

Also I did not fully understand, why only RS256 is being supported. (In kanidm this is considered legacy). As far as I understood spring does support ES256 - at least according to this issue: spring-projects/spring-security#11799. I also took some time to connect the invalid_id_token error message with "only RS256 is supported". Maybe the error message could be added to the documentation for future reference.

Both issues are considered insecure in kanidm and therefore I wanted to ask, how/if I could setup an oauth2 provider with PKCE as a private client and ES256 enabled.

Anyways, thanks for the great software!

[gotson]

As far as I understood spring does support ES256

this requires custom code, hence cannot be managed in configuration only

According to this issue even private clients can now enable PKCE

this also requires custom code, hence cannot be managed in configuration only