Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7467

Support PKCE in OAuthRequestAuthenticator

    XMLWordPrintable

Details

    • NEW
    • NEW

    Description

      Since the Keycloak server already supports PKCE with the Authorization Code flow Keycloak it would be helpful if OAuthRequestAuthenticator would also support PKCE, which would enable PKCE support for all? Java based OIDC adapters.

      One need to compute a PKCE codeVerifier and associate it with a session / cookie.

      For the S256 PKCE method one would need to:
      ... compute a SHA256 hash of the codeVerifier, add the following query parameters to the login redirect URI:

      • code_challenge=sha256(codeVerifier)
      • code_challenge_method=S256

      For the plain PKCE method one would need to:
      ... add the following query parameters to the login redirect URI:

      • code_challenge=codeVerifier
      • code_challenge_method=plain

      Whether to use S256 or plain could be configured via a new pkceMethod property in KeycloakDeployment, a secure default could be S256

      This is currently missing here:
      https://github.com/keycloak/keycloak/blob/ff6fcd30d9d4c8ed99dcee4667d485ffaa3ae4e0/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java#L143

      Additionally, read the stored codeVerifier from the session / cookie and add it to the call of the ServerRequest.invokeAccessCodeToToken(...) method (there is already an appropriate overload)
      This is currently missing here:
      https://github.com/keycloak/keycloak/blob/ff6fcd30d9d4c8ed99dcee4667d485ffaa3ae4e0/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java#L336

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              thomas.darimont@googlemail.com Thomas Darimont
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: