Review comments

Author: panman90

.changelog/22732.txt

@@ -1,3 +1,3 @@
 ```release-note:feature
-oidc: Added support for client authentication using JWT assertion and PKCE. default PKCE is disable
+oidc: add client authentication using JWT assertion and PKCE. default PKCE is disabled.
 ```

internal/go-sso/oidcauth/auth.go

@@ -110,6 +110,7 @@ func New(c *Config, logger hclog.Logger) (*Authenticator, error) {
 			}
 		}
 		// Use CAP's OIDC provider to leverage its built-in support for
+		// both standard client secret and JWT assertion authentication methods
 		providerConfig, err := capOidc.NewConfig(
 			a.config.OIDCDiscoveryURL,
 			a.config.OIDCClientID,

internal/go-sso/oidcauth/oidc.go

@@ -11,8 +11,6 @@ import (
 	"strings"
 	"time"
 
-	// HashiCorp CAP (Cloud Authentication Primitives) library for OIDC flows
-	// Provides enhanced OIDC support including private key JWT client authentication
 	"github.com/hashicorp/cap/oidc"
 	cass "github.com/hashicorp/cap/oidc/clientassertion"
 
@@ -91,10 +89,6 @@ func (a *Authenticator) ClaimsFromAuthCode(ctx context.Context, stateParam, code
 		}
 	}
 
-	// Use HashiCorp CAP provider for token exchange
-	// This provider supports private key JWT client authentication if configured
-	provider := a.capProvider
-
 	// Use the stored request object from the initial authorization request
 	if state.request == nil {
 		a.logger.Error("Request object not found in state", "stateParam", stateParam)
@@ -103,6 +97,10 @@ func (a *Authenticator) ClaimsFromAuthCode(ctx context.Context, stateParam, code
 		}
 	}
 
+	// Use HashiCorp CAP provider for token exchange
+	// This provider supports private key JWT client authentication if configured
+	provider := a.capProvider
+
 	tokens, err := provider.Exchange(ctx, state.request, stateParam, code)
 	if err != nil {
 		return nil, nil, &ProviderLoginFailedError{