Description / Problem Statement:
When using an external OIDC provider that enforces PKCE (Proof Key for Code Exchange), oc login succeeds, but Console login fails with an authentication error.

Today, the Console’s OIDC login flow does not handle PKCE code challenges, which prevents users from using OIDC providers that require PKCE.

Impact:

• Customers integrating OCP with 3rd-party OIDC providers (Okta, Keycloak, etc.) cannot log in via the Console if the OIDC application enforces PKCE.

• This limits adoption of security best practices, as PKCE is now recommended even for confidential clients to mitigate code interception attacks.

• oc login already supports PKCE, creating inconsistency between CLI and Console authentication behavior.

Background / Current Behavior:

• Console login works when the OIDC application does not enforce PKCE.

• Console login fails when the OIDC application enforces PKCE, with error messages like:

• • error=PKCE+code+challenge+is+required+by+the+application.&error_type=auth (Okta)

• • error=Missing+parameter%3A+code_challenge_method&error_type=auth (Keycloak)

• Logs from oauth-openshift confirm: AuthenticationError: PKCE code challenge is required by the application.

Proposal / Requested Enhancement:
Add support for PKCE in the Console’s OIDC login flow.

• Console should be able to generate and send the code_challenge and code_challenge_method parameters during authorization requests.

• Console should store the code_verifier securely in the login session and use it during token exchange.

• This should align with how oc login already supports PKCE.

Acceptance Criteria:

• Console login succeeds against external OIDC providers when PKCE is enforced.

• Console login continues to work for providers that do not enforce PKCE.

• Behavior between Console and oc login is consistent.

• Documentation updated to reflect PKCE support.