2:49 p.m.
On 13/07/17 09:53, Federico Navarro Polo - Info.nl wrote:
Unfortunately, I got the same with 3.1.0.Final and 3.2.0.Final.
When you say disabling PKCE for the adapter, you mean the client connecting to Keycloak,
right? In our case, that would be configuration in AppAuth.
Yes. Especially to
ensure that parameters like "code_challenge" not
present in initial request to Keycloak.
Marek
Regards,
Federico
On 11/07/17 22:56, "Marek Posolda" <mposolda(a)redhat.com> wrote:
Still I would try to upgrade to 3.2.0.Final if possible. AFAIK there was
some related fixes in there, so worth to try if it's not a lot of work
for you. Otherwise workaround is to disable PKCE for your adapter, which
will also remove all related parameters from the initial request to
Keycloak.
Marek
On 11/07/17 16:38, Federico Navarro Polo - Info.nl wrote:
> Hello,
>
> After upgrading our Keycloak version to 3.1.0, we’ve started seeing the
following error in one of our use cases (using AppAuth).
>
> 2017-07-11 16:21:12,134 DEBUG
[org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting
Client, codeVerifier =
KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA
> 2017-07-11 16:21:12,134 DEBUG
[org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE
codeChallengeMethod = S256
> 2017-07-11 16:21:12,135 WARN
[org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification
failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername =
someone(a)somewhere.nl
> 2017-07-11 16:21:12,136 WARN [org.keycloak.events] (default task-24)
type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x,
userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x,
error=pkce_verification_failed, grant_type=authorization_code,
code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret
>
>
> I saw this bug report, which could be related to the issue (still open for
3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956
>
> Is it possible to disable PKCE from Keycloak configuration?
>
>
> Met vriendelijke groet,
>
> Federico Navarro
>
> backend developer
>
> federico@info.nl<mailto:federico@info.nl> |
LinkedIn<https://www.linkedin.com/company/info-nl> | +31 (0)2 05 30 91
61<tel:+31205309161>
>
> info.nl<http://www.info.nl/>
>
> Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user