Merge pull request #2713 from cyberark/revert-pkce-flag

Remove support for disabling the non-PKCE OIDC authentication flow

CHANGELOG.md

@@ -9,7 +9,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [1.19.3] - 2023-01-26
+## [1.19.3] - 2023-03-21
+
+### Changed
+- Removes support for disabling the `CONJUR_FEATURE_PKCE_SUPPORT_ENABLED` flag.
+  [cyberark/conjur#2713](https://github.com/cyberark/conjur/pull/2713)
+
+## [1.19.2] - 2023-02-01
 
 ### Added
 - Conjur now logs when it detects that the Conjur configuration file

app/db/repository/authenticator_repository.rb

@@ -4,13 +4,11 @@ class AuthenticatorRepository
       def initialize(
         data_object:,
         resource_repository: ::Resource,
-        logger: Rails.logger,
-        pkce_support_enabled: Rails.configuration.feature_flags.enabled?(:pkce_support)
+        logger: Rails.logger
       )
         @resource_repository = resource_repository
         @data_object = data_object
         @logger = logger
-        @pkce_support_enabled = pkce_support_enabled
       end
 
       def find_all(type:, account:)
@@ -73,12 +71,10 @@ def load_authenticator(type:, account:, service_id:)
         end
 
         begin
-          if @pkce_support_enabled
-            allowed_args = %i[account service_id] +
-                          @data_object.const_get(:REQUIRED_VARIABLES) +
-                          @data_object.const_get(:OPTIONAL_VARIABLES)
-            args_list = args_list.select{ |key, value| allowed_args.include?(key) && value.present? }
-          end
+          allowed_args = %i[account service_id] +
+                        @data_object.const_get(:REQUIRED_VARIABLES) +
+                        @data_object.const_get(:OPTIONAL_VARIABLES)
+          args_list = args_list.select { |key, value| allowed_args.include?(key) && value.present? }
           @data_object.new(**args_list)
         rescue ArgumentError => e
           @logger.debug("DB::Repository::AuthenticatorRepository.load_authenticator - exception: #{e}")

app/domain/authentication/authn_oidc/authenticator.rb

@@ -29,13 +29,8 @@ def status(authenticator_status_input:)
         # is done, the following check can be removed.
 
         # Attempt to load the V2 version of the OIDC Authenticator
-        data_object = if Rails.configuration.feature_flags.enabled?(:pkce_support)
-          Authentication::AuthnOidc::PkceSupportFeature::DataObjects::Authenticator
-        else
-          Authentication::AuthnOidc::V2::DataObjects::Authenticator
-        end
         authenticator = DB::Repository::AuthenticatorRepository.new(
-          data_object: data_object
+          data_object: Authentication::AuthnOidc::V2::DataObjects::Authenticator
         ).find(
           type: authenticator_status_input.authenticator_name,
           account: authenticator_status_input.account,