Re: [keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator)

Hello, I've encountered the same problem and gave up. At that time, the naive idea had hit on me. * prepare some concurrently accessible singleton (line KeycloakDeployment) from OAuthRequestAuthenticator * store generated codeVerifier on it with state parameter value as its key. But, considering the nature of codeVerifier, the followings are required for such the store * codeVerifier should be treated the same secure levels as client credentials * codeVerifier should be short-lived and deleted after its life the same as Authorization Code Therefore, It might be better to create an tentative instance whose lifetime is between issuing Authorization Code Request and issuing Token Request. And, it should be identified and only accessible from the session instance who issued Authorization Code Request. However, I'm afraid it might be difficult to accomplish it in generic fashion. We need to implement the above each type of client adapter. Best regards, Takashi Norimatsu Hitachi Ltd., -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces@lists. jboss.org> On Behalf Of Thomas Darimont Sent: Wednesday, May 30, 2018 9:02 AM To: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Subject: [!][keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator) Hi there, I was recently playing with the PKCE support in Keycloak (server) which worked quite well. However the support for client / adapters seems to be quite limited at the moment... I think support for PKCE to all? java adapters could be added quite easily - I could provide a PR but I'm currently stuck with finding a generic way to store the codeVerifier generated for the login redirect for later retrival for the code2token exchange. Do you have any recommendations for this? I created the following JIRA issue (with some comments) to track this: https://clicktime.symantec.com/a/1/bkUjActRvyW1Ds3zoQSu7mjr4Nabix m_1YJAW4-UxEM=?d=d5OUWVTwLT2kMkuISm5qn8WHJTBcSVkENKzaB0Z2mA- PX8kp40LeKyOrcMpyKd841kYgP2EXaDDWYa0qu-AFLCtVLO4LvMfUJgUhu3xFwONMPy78 dypmmmeEalkcYLU4XY3LcstbfVAoE0jRdEXXMyYStWwO95V_ 98pfhIYFlYFIHgapXJsFfGrldL8-siYGhinjnCn_AWyuyqrwhvBY582Dr3Pn9k4YZfsudB wcSJkErQKzyYEKfMhwz4ix7EAa-hvQ6rGHFdSza3jf1cMjsR4Xio667eNtirL9ruV4Z- FFQhamJMSJGb2o8rR52iEuGTp_28Vivk5HiwYx5XhZ4Bm9_ dhN2eNeWT396bZQJwC7tDetr6UPVrPiMn6aTLdGMu6Wr- byBNvnEFmqxCB0Cx1tPxQkO4DVWKF4_iWgxZ6sW49k87BqaRTp3ktECRXNJ-CA04UZQbL7w- uPYlxvyvNNl408bCn5LpYf8w%3D%3D&u=https%3A%2F%2Fissues. jboss.org%2Fbrowse%2FKEYCLOAK-7467 Cheers, Thomas _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://clicktime.symantec.com/a/1/Xn2ffdZIVPL_UA8_ cnNApcirkcZZdsnyb6SpUdKiO-s=?d=d5OUWVTwLT2kMkuISm5qn8WHJTBcSVkENKzaB0Z2mA- PX8kp40LeKyOrcMpyKd841kYgP2EXaDDWYa0qu-AFLCtVLO4LvMfUJgUhu3xFwONMPy78 dypmmmeEalkcYLU4XY3LcstbfVAoE0jRdEXXMyYStWwO95V_ 98pfhIYFlYFIHgapXJsFfGrldL8-siYGhinjnCn_AWyuyqrwhvBY582Dr3Pn9k4YZfsudB wcSJkErQKzyYEKfMhwz4ix7EAa-hvQ6rGHFdSza3jf1cMjsR4Xio667eNtirL9ruV4Z- FFQhamJMSJGb2o8rR52iEuGTp_28Vivk5HiwYx5XhZ4Bm9_ dhN2eNeWT396bZQJwC7tDetr6UPVrPiMn6aTLdGMu6Wr- byBNvnEFmqxCB0Cx1tPxQkO4DVWKF4_iWgxZ6sW49k87BqaRTp3ktECRXNJ-CA04UZQbL7w- uPYlxvyvNNl408bCn5LpYf8w%3D%3D&u=https%3A%2F%2Flists.jboss.org%2Fmailman% 2Flistinfo%2Fkeycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev