docs: Superset 6.1 documentation catch-up — batch 4 (#39446)

Co-authored-by: Superset Dev <dev@superset.apache.org> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Michael S. Molina <70410625+michael-s-molina@users.noreply.github.com>
2026-05-11 10:55:43 +00:00 · 2026-04-29 14:26:09 -04:00
parent 6ce3885f2e
commit 979f60a6d4
5 changed files with 77 additions and 10 deletions
--- a/docs/admin_docs/configuration/configuring-superset.mdx
+++ b/docs/admin_docs/configuration/configuring-superset.mdx
@@ -372,6 +372,26 @@ CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
  ]
  ```

+### PKCE Support
+
+For public OAuth2 clients that cannot securely store a client secret, enable Proof Key for Code Exchange (PKCE) by adding `code_challenge_method` to the `remote_app` configuration:
+
+```python
+OAUTH_PROVIDERS = [
+    {
+        'name': 'myProvider',
+        'remote_app': {
+            'client_id': 'myClientId',
+            'client_secret': 'mySecret',  # may be empty for pure public clients
+            'code_challenge_method': 'S256',  # enables PKCE
+            'server_metadata_url': 'https://myAuthorizationServer/.well-known/openid-configuration'
+        }
+    }
+]
+```
+
+PKCE (`S256`) is recommended for all OAuth2 flows, even when a client secret is present, as it protects against authorization code interception attacks.
+
 ## LDAP Authentication

 FAB supports authenticating user credentials against an LDAP server.