diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md
index cf4937b0037..ef6c1bbdfbb 100644
--- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md
+++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md
@@ -53,6 +53,10 @@ if the user has not yet logged in to Rancher. However, if the user has previousl
| Client Secret | The generated Secret of your Amazon Cognito App Client. |
| Issuer | The Issuer URL of your Amazon Cognito App Client. It follows the format `https://cognito-idp.{region}.amazonaws.com/{userPoolId}`, and can be found in the App Client settings page. Rancher uses the Issuer URL to fetch all of the required URLs. |
+## OIDC Support for PKCE Extension
+
+
+
## Configuring OIDC Single Logout (SLO)
diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md
index 8ec61010eda..4226c885c26 100644
--- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md
+++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md
@@ -139,6 +139,10 @@ For example, if your IdP sends `groups` in a claim called `custom_roles`, enter
| Custom Email Claim | `email` | The name of the claim in the OIDC token that contains the user's email address. |
| Custom Groups Claim | `groups` | The name of the claim in the OIDC token that contains the user's group memberships (used for RBAC). |
+## OIDC Support for PKCE Extension
+
+
+
## Configuring OIDC Single Logout (SLO)
diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
index 0d406be4273..cf06bbc57ff 100644
--- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
+++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
@@ -168,6 +168,10 @@ After configuration is completed, Rancher user permissions need to be reapplied
:::
+## OIDC Support for PKCE Extension
+
+
+
## Configuring OIDC Single Logout (SLO)
diff --git a/shared-files/_oidc-pkce-support.md b/shared-files/_oidc-pkce-support.md
new file mode 100644
index 00000000000..6a835385a05
--- /dev/null
+++ b/shared-files/_oidc-pkce-support.md
@@ -0,0 +1,3 @@
+Rancher supports the Proof Key for Code Exchange (PKCE) extension (RFC 7636) for OIDC authentication providers. SHA-256 (`S256`) is the only supported PKCE verification method. To enable this feature, your authentication provider must use PKCE with `S256` for authorization requests.
+
+You can enable this feature by selecting **Enable PKCE (S256)** in your authentication provider configuration in Rancher. Enabling `S256` PKCE token verification allows you to mitigate authorization code interception attacks during OIDC authentication flows.
diff --git a/src/theme/MDXComponents.js b/src/theme/MDXComponents.js
index 871d566aa20..6a47cb48b05 100644
--- a/src/theme/MDXComponents.js
+++ b/src/theme/MDXComponents.js
@@ -16,6 +16,8 @@ import ConfigureSLOOidc from '/shared-files/_configure-slo-oidc.md';
import EOLRKE1Warning from '/shared-files/_eol-rke1-warning.md';
import PermissionsWarning from '/shared-files/_permissions-warning.md';
import SamlOpenLDAPGroupPermissions from '/shared-files/_saml-openldap-group-permissions.md';
+import OIDCPKCESupport from '/shared-files/_oidc-pkce-support.md';
+
export default {
// Re-use the default mapping
@@ -37,4 +39,5 @@ export default {
EOLRKE1Warning,
PermissionsWarning,
SamlOpenLDAPGroupPermissions,
+ OIDCPKCESupport,
};
diff --git a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md
index cf4937b0037..ef6c1bbdfbb 100644
--- a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md
+++ b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md
@@ -53,6 +53,10 @@ if the user has not yet logged in to Rancher. However, if the user has previousl
| Client Secret | The generated Secret of your Amazon Cognito App Client. |
| Issuer | The Issuer URL of your Amazon Cognito App Client. It follows the format `https://cognito-idp.{region}.amazonaws.com/{userPoolId}`, and can be found in the App Client settings page. Rancher uses the Issuer URL to fetch all of the required URLs. |
+## OIDC Support for PKCE Extension
+
+
+
## Configuring OIDC Single Logout (SLO)
diff --git a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md
index 8ec61010eda..4226c885c26 100644
--- a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md
+++ b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md
@@ -139,6 +139,10 @@ For example, if your IdP sends `groups` in a claim called `custom_roles`, enter
| Custom Email Claim | `email` | The name of the claim in the OIDC token that contains the user's email address. |
| Custom Groups Claim | `groups` | The name of the claim in the OIDC token that contains the user's group memberships (used for RBAC). |
+## OIDC Support for PKCE Extension
+
+
+
## Configuring OIDC Single Logout (SLO)
diff --git a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
index 0d406be4273..cf06bbc57ff 100644
--- a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
+++ b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
@@ -168,6 +168,10 @@ After configuration is completed, Rancher user permissions need to be reapplied
:::
+## OIDC Support for PKCE Extension
+
+
+
## Configuring OIDC Single Logout (SLO)