Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-50508

OpenShift OAuth server does not fully implement PKCE (RFC 7636) support - missing code_challenge generation in authorization requests

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • 4.17, 4.17.0, 4.17.z
    • oauth-apiserver
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • Hide
      The OAuth server in OpenShift 4.17 partially implements PKCE by accepting the code_challenge_method parameter but fails to generate and include the required code_challenge in authorization requests. This causes authentication failures with OpenID providers that require PKCE.

      Evidence from logs:

      I0131 11:29:23.380927 1 handler.go:84] redirect to https://XXXXX:7002/cas/oauth2/authorize?client_id=<redacted>&code_challenge_method=S256&redirect_uri=...

      E0131 11:29:23.711337 1 errorpage.go:28] AuthenticationError: Invalid request: Missing CodeChallenge (PKCE - RFC 7636)
      Show
      The OAuth server in OpenShift 4.17 partially implements PKCE by accepting the code_challenge_method parameter but fails to generate and include the required code_challenge in authorization requests. This causes authentication failures with OpenID providers that require PKCE. Evidence from logs: I0131 11:29:23.380927 1 handler.go:84] redirect to https://XXXXX:7002/cas/oauth2/authorize?client_id=<redacted>&code_challenge_method=S256&redirect_uri= ... E0131 11:29:23.711337 1 errorpage.go:28] AuthenticationError: Invalid request: Missing CodeChallenge (PKCE - RFC 7636)
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:
      OpenShift OAuth server does not fully implement PKCE (RFC 7636) support. While the OAuth configuration accepts code_challenge_method=S256, it fails to generate and include the required code_challenge parameter in the authorization request to the OpenID provider.

      Version-Release number of selected component:
      OpenShift Container Platform 4.17
      Component: oauth-server

      How reproducible:
      100% - Consistently reproducible when configuring OpenID provider with PKCE requirement

      Steps to Reproduce:
      1. Configure OpenShift OAuth with OpenID provider that requires PKCE:
      ```yaml
      apiVersion: config.openshift.io/v1
      kind: OAuth
      metadata:
      name: cluster
      spec:
      identityProviders:

      • name: eu-login
        type: OpenID
        openID:
        extraAuthorizeParameters:
        code_challenge_method: "S256"
        clientID: <client_id>
        claims:
        preferredUsername: ["preferred_username"]

      Attempt to authenticate using the OpenID provider
      Check oauth-openshift pod logs

      Actual results:

      Authorization request missing code_challenge parameter:

      GET /oauth/authorize?client_id=<client_id>&code_challenge_method=S256&redirect_uri=...

      Error in oauth-openshift logs:
      "Error handling request: Invalid request: Missing CodeChallenge (PKCE - RFC 7636)"

      Expected results:

      OAuth server should generate code_verifier
      Calculate code_challenge using S256 method
      Include both code_challenge_method and code_challenge in authorization request:

      GET /oauth/authorize?client_id=<client_id>&code_challenge_method=S256&code_challenge=<calculated_challenge>&redirect_uri=...

      Additional info:

      Logs show the configuration is accepted but code_challenge is not generated
      Working applications with same OpenID provider include both parameters
      Example of working request from another application:

      GET /cas/oauth2/authorize?client_id=<CLIENT_ID>&code_challenge=Fke_zHXCFON5R3SYx__RBH-N85FKscra2EIdDtPoEcU&code_challenge_method=S256...

      OAuth server logs confirm PKCE parameters are missing in the request
      This appears to be a limitation in the current OpenShift OAuth server implementation

              rh-ee-irinis Ilias Rinis
              rhn-support-vyoganan Vivek Yoganand A (Inactive)
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: