[keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator)

乗松隆志 / NORIMATSU,TAKASHI takashi.norimatsu.ws at hitachi.com
Wed May 30 01:47:38 EDT 2018


I've encountered the same problem and gave up.

At that time, the naive idea had hit on me.
* prepare some concurrently accessible singleton (line KeycloakDeployment) from OAuthRequestAuthenticator
* store generated codeVerifier on it with state parameter value as its key. 

But, considering the nature of codeVerifier, the followings are required for such the store
* codeVerifier should be treated the same secure levels as client credentials
* codeVerifier should be short-lived and deleted after its life the same as Authorization Code

Therefore, It might be better to create an tentative instance whose lifetime is between issuing Authorization Code Request and issuing Token Request. And, it should be identified and only accessible from the session instance who issued Authorization Code Request.

However, I'm afraid it might be difficult to accomplish it in generic fashion. We need to implement the above each type of client adapter.

Best regards,
Takashi Norimatsu
Hitachi Ltd.,

-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Thomas Darimont
Sent: Wednesday, May 30, 2018 9:02 AM
To: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: [!][keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator)

Hi there,

I was recently playing with the PKCE support in Keycloak (server) which worked quite well.
However the support for client / adapters seems to be quite limited at the moment...

I think support for PKCE to all? java adapters could be added quite easily
- I could provide a
PR but I'm currently stuck with finding a generic way to store the codeVerifier generated for the login redirect for later retrival for the code2token exchange.

Do you have any recommendations for this?

I created the following JIRA issue (with some comments) to track this:

keycloak-dev mailing list
keycloak-dev at lists.jboss.org

More information about the keycloak-dev mailing list