Remove support for disabling the non-PKCE OIDC authentication flow

CHANGELOG.md

@@ -9,19 +9,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [1.19.3] - 2023-01-26
+## [1.19.2] - 2023-2-1
 
-## [1.19.2] - 2022-01-13
+### Changed
 
-### Fixed
-- Previously, including `limit` or `offset` parameters to a resource list request
-  resulted in the returned list being unexpectedly sorted. Now, all resource list
-  request results are sorted by resource ID.
-  [cyberark/conjur#2702](https://github.com/cyberark/conjur/pull/2702)
-
-### Security
-- Upgraded Rails to 6.1.7.1 to resolve CVE-2023-22794 (not vulnerable)
-  [cyberark/conjur#2703](https://github.com/cyberark/conjur/pull/2703)
+- Removes support for disabling the `CONJUR_FEATURE_PKCE_SUPPORT_ENABLED` flag.
+  [cyberark/conjur#2713](https://github.com/cyberark/conjur/pull/2713)
 
 ## [1.19.1] - 2022-12-08
 
@@ -75,6 +68,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-2qc6-mcvw-92cw
   [cyberark/conjur#2670](https://github.com/cyberark/conjur/pull/2670)
 
+### Changed
+- Changes the Conjur Auth token TTL for OIDC authentication to 60 minutes.
+  []
 ## [1.18.5] - 2022-09-14
 
 ### Added

app/db/repository/authenticator_repository.rb

@@ -4,13 +4,14 @@ class AuthenticatorRepository
       def initialize(
         data_object:,
         resource_repository: ::Resource,
-        logger: Rails.logger,
-        pkce_support_enabled: Rails.configuration.feature_flags.enabled?(:pkce_support)
+        logger: Rails.logger
+        # ,
+        # pkce_support_enabled: Rails.configuration.feature_flags.enabled?(:pkce_support)
       )
         @resource_repository = resource_repository
         @data_object = data_object
         @logger = logger
-        @pkce_support_enabled = pkce_support_enabled
+        # @pkce_support_enabled = pkce_support_enabled
       end
 
       def find_all(type:, account:)
@@ -73,12 +74,10 @@ def load_authenticator(type:, account:, service_id:)
         end
 
         begin
-          if @pkce_support_enabled
-            allowed_args = %i[account service_id] +
-                          @data_object.const_get(:REQUIRED_VARIABLES) +
-                          @data_object.const_get(:OPTIONAL_VARIABLES)
-            args_list = args_list.select{ |key, value| allowed_args.include?(key) && value.present? }
-          end
+          allowed_args = %i[account service_id] +
+                        @data_object.const_get(:REQUIRED_VARIABLES) +
+                        @data_object.const_get(:OPTIONAL_VARIABLES)
+          args_list = args_list.select { |key, value| allowed_args.include?(key) && value.present? }
           @data_object.new(**args_list)
         rescue ArgumentError => e
           @logger.debug("DB::Repository::AuthenticatorRepository.load_authenticator - exception: #{e}")

app/domain/authentication/authn_oidc/authenticator.rb

@@ -29,13 +29,8 @@ def status(authenticator_status_input:)
         # is done, the following check can be removed.
 
         # Attempt to load the V2 version of the OIDC Authenticator
-        data_object = if Rails.configuration.feature_flags.enabled?(:pkce_support)
-          Authentication::AuthnOidc::PkceSupportFeature::DataObjects::Authenticator
-        else
-          Authentication::AuthnOidc::V2::DataObjects::Authenticator
-        end
         authenticator = DB::Repository::AuthenticatorRepository.new(
-          data_object: data_object
+          data_object: Authentication::AuthnOidc::V2::DataObjects::Authenticator
         ).find(
           type: authenticator_status_input.authenticator_name,
           account: authenticator_status_input.account,