[keycloak-user] error=pkce_verification_failed

Federico Navarro Polo - Info.nl federico at info.nl
Thu Jul 13 03:53:52 EDT 2017 

Unfortunately, I got the same with 3.1.0.Final and 3.2.0.Final.

When you say disabling PKCE for the adapter, you mean the client connecting to Keycloak, right? In our case, that would be configuration in AppAuth.

Regards,
Federico

On 11/07/17 22:56, "Marek Posolda" <mposolda at redhat.com> wrote:

    Still I would try to upgrade to 3.2.0.Final if possible. AFAIK there was 
    some related fixes in there, so worth to try if it's not a lot of work 
    for you. Otherwise workaround is to disable PKCE for your adapter, which 
    will also remove all related parameters from the initial request to 
    Keycloak.
    
    Marek
    
    On 11/07/17 16:38, Federico Navarro Polo - Info.nl wrote:
    > Hello,
    >
    > After upgrading our Keycloak version to 3.1.0, we’ve started seeing the following error in one of our use cases (using AppAuth).
    >
    > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting Client, codeVerifier = KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA
    > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE codeChallengeMethod = S256
    > 2017-07-11 16:21:12,135 WARN  [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername = someone at somewhere.nl
    > 2017-07-11 16:21:12,136 WARN  [org.keycloak.events] (default task-24) type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x, userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x, error=pkce_verification_failed, grant_type=authorization_code, code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret
    >
    >
    > I saw this bug report, which could be related to the issue (still open for 3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956
    >
    > Is it possible to disable PKCE from Keycloak configuration?
    >
    >
    > Met vriendelijke groet,
    >
    > Federico Navarro
    >
    > backend developer
    >
    > federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  +31 (0)2 05 30 91 61<tel:+31205309161>
    >
    > info.nl<http://www.info.nl/>
    >
    > Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
    >
    >
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list