Re: [keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator)

Hello, I've encountered the same problem and gave up. At that time, the naive idea had hit on me. * prepare some concurrently accessible singleton (line KeycloakDeployment) from OAuthRequestAuthenticator * store generated codeVerifier on it with state parameter value as its key. But, considering the nature of codeVerifier, the followings are required for such the store * codeVerifier should be treated the same secure levels as client credentials * codeVerifier should be short-lived and deleted after its life the same as Authorization Code Therefore, It might be better to create an tentative instance whose lifetime is between issuing Authorization Code Request and issuing Token Request. And, it should be identified and only accessible from the session instance who issued Authorization Code Request. However, I'm afraid it might be difficult to accomplish it in generic fashion. We need to implement the above each type of client adapter. Best regards, Takashi Norimatsu Hitachi Ltd., -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org&gt; On Behalf Of Thomas Darimont Sent: Wednesday, May 30, 2018 9:02 AM To: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Subject: [!][keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator) Hi there, I was recently playing with the PKCE support in Keycloak (server) which worked quite well. However the support for client / adapters seems to be quite limited at the moment... I think support for PKCE to all? java adapters could be added quite easily - I could provide a PR but I'm currently stuck with finding a generic way to store the codeVerifier generated for the login redirect for later retrival for the code2token exchange. Do you have any recommendations for this? I created the following JIRA issue (with some comments) to track this: https://clicktime.symantec.com/a/1/bkUjActRvyW1Ds3zoQSu7mjr4Nabixm_1YJAW4... Cheers, Thomas _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://clicktime.symantec.com/a/1/Xn2ffdZIVPL_UA8_cnNApcirkcZZdsnyb6SpUd...