From f356d08ec960272830be25a64eae8bb70727f091 Mon Sep 17 00:00:00 2001
From: Rorical <46294886+Rorical@users.noreply.github.com>
Date: Sun, 22 Dec 2024 23:04:56 +0800
Subject: [PATCH] chore: update config example

---
 config-example.yaml | 13 ++++++++++---
 docs/ref/oidc.md    |  1 +
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/config-example.yaml b/config-example.yaml
index 352e8d8c..581d997d 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -364,10 +364,17 @@ unix_socket_permission: "0770"
 #   allowed_users:
 #     - alice@example.com
 #
-#   # Optional: Enable PKCE (Proof Key for Code Exchange) support for enhanced security
-#   # and prevent CSRF attacks.
+#   # Optional: PKCE (Proof Key for Code Exchange) configuration
+#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+#   # by preventing authorization code interception attacks
 #   # See https://datatracker.ietf.org/doc/html/rfc7636
-#   enable_pkce: false
+#   pkce:
+#     # Enable or disable PKCE support (default: false)
+#     enabled: false
+#     # PKCE method to use:
+#     # - plain: Use plain code verifier
+#     # - S256: Use SHA256 hashed code verifier (default, recommended)
+#     method: S256
 #
 #   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
 #   # by taking the username from the legacy user and matching it with the username
diff --git a/docs/ref/oidc.md b/docs/ref/oidc.md
index 3d794533..9f8c3e59 100644
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -48,6 +48,7 @@ oidc:
   # Optional: PKCE (Proof Key for Code Exchange) configuration
   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
   # by preventing authorization code interception attacks
+  # See https://datatracker.ietf.org/doc/html/rfc7636
   pkce:
     # Enable or disable PKCE support (default: false)
     enabled: false