-
Feature
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
False
-
None
-
None
-
Tech Preview
-
None
-
None
-
-
None
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
An elevator pitch (value statement) that describes the Feature in a clear, concise way. Complete during New status.
----- copied from RFE-8158 (originated from OCPBUGS-61564) -----
Description / Problem Statement:
When using an external OIDC provider that enforces PKCE (Proof Key for Code Exchange), oc login succeeds, but Console login fails with an authentication error.
Today, the Console’s OIDC login flow does not handle PKCE code challenges, which prevents users from using OIDC providers that require PKCE.
Impact:
- Customers integrating OCP with 3rd-party OIDC providers (Okta, Keycloak, etc.) cannot log in via the Console if the OIDC application enforces PKCE.
- This limits adoption of security best practices, as PKCE is now recommended even for confidential clients to mitigate code interception attacks.
- oc login already supports PKCE, creating inconsistency between CLI and Console authentication behavior.
Background / Current Behavior:
- Console login works when the OIDC application does not enforce PKCE.
- Console login fails when the OIDC application enforces PKCE, with error messages like:
-
- error=PKCE+code+challenge+is+required+by+the+application.&error_type=auth (Okta)
-
- error=Missing+parameter%3A+code_challenge_method&error_type=auth (Keycloak)
- Logs from oauth-openshift confirm: AuthenticationError: PKCE code challenge is required by the application.
Proposal / Requested Enhancement:
Add support for PKCE in the Console’s OIDC login flow.
- Console should be able to generate and send the code_challenge and code_challenge_method parameters during authorization requests.
- Console should store the code_verifier securely in the login session and use it during token exchange.
- This should align with how oc login already supports PKCE.
Acceptance Criteria:
- Console login succeeds against external OIDC providers when PKCE is enforced.
- Console login continues to work for providers that do not enforce PKCE.
- Behavior between Console and oc login is consistent.
- Documentation updated to reflect PKCE support.
------------------------------------------------------
<your text here>
Goals (aka. expected user outcomes)
The observable functionality that the user now has as a result of receiving this feature. Include the anticipated primary user type/persona and which existing features, if any, will be expanded. Complete during New status.
<your text here>
Requirements (aka. Acceptance Criteria):
A list of specific needs or objectives that a feature must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during Refinement status.
This Feature was generated in OCPSTRAT via acceptance of RFE-8158. Ensure the stated Acceptance Criteria below will fulfill the needs specified in the RFE.
<enter general Feature acceptance here>
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | Y |
| Classic (standalone cluster) | Y |
| Hosted control planes | Y |
| Multi node, Compact (three node), or Single node (SNO), or all | |
| Connected / Restricted Network | |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | |
| Operator compatibility | |
| Backport needed (list applicable versions) | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | Y |
| Other (please specify) |
Use Cases (Optional):
Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.
<your text here>
Questions to Answer (Optional):
Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.
<your text here>
Out of Scope
High-level list of items that are out of scope. Initial completion during Refinement status.
<your text here>
Background
Provide any additional context is needed to frame the feature. Initial completion during Refinement status.
<your text here>
Customer Considerations
Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.
<your text here>
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.
<your text here>
Interoperability Considerations
Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.
<your text here>
- is related to
-
OCPBUGS-61564 Console login in external oidc env fails if the application client uses PKCE
-
- Closed
-
- relates to
-
-
- Approved
-
-
-
- In Progress
-
-
-
- Release Pending
-
