[keycloak-user] error=pkce_verification_failed

Marek Posolda mposolda at redhat.com
Thu Jul 13 15:49:43 EDT 2017 

On 13/07/17 09:53, Federico Navarro Polo - Info.nl wrote:
> Unfortunately, I got the same with 3.1.0.Final and 3.2.0.Final.
>
> When you say disabling PKCE for the adapter, you mean the client connecting to Keycloak, right? In our case, that would be configuration in AppAuth.
Yes. Especially to ensure that parameters like "code_challenge" not 
present in initial request to Keycloak.

Marek
>
> Regards,
> Federico
>
> On 11/07/17 22:56, "Marek Posolda" <mposolda at redhat.com> wrote:
>
>      Still I would try to upgrade to 3.2.0.Final if possible. AFAIK there was
>      some related fixes in there, so worth to try if it's not a lot of work
>      for you. Otherwise workaround is to disable PKCE for your adapter, which
>      will also remove all related parameters from the initial request to
>      Keycloak.
>      
>      Marek
>      
>      On 11/07/17 16:38, Federico Navarro Polo - Info.nl wrote:
>      > Hello,
>      >
>      > After upgrading our Keycloak version to 3.1.0, we’ve started seeing the following error in one of our use cases (using AppAuth).
>      >
>      > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting Client, codeVerifier = KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA
>      > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE codeChallengeMethod = S256
>      > 2017-07-11 16:21:12,135 WARN  [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername = someone at somewhere.nl
>      > 2017-07-11 16:21:12,136 WARN  [org.keycloak.events] (default task-24) type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x, userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x, error=pkce_verification_failed, grant_type=authorization_code, code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret
>      >
>      >
>      > I saw this bug report, which could be related to the issue (still open for 3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956
>      >
>      > Is it possible to disable PKCE from Keycloak configuration?
>      >
>      >
>      > Met vriendelijke groet,
>      >
>      > Federico Navarro
>      >
>      > backend developer
>      >
>      > federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  +31 (0)2 05 30 91 61<tel:+31205309161>
>      >
>      > info.nl<http://www.info.nl/>
>      >
>      > Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      
>      
>      
>

More information about the keycloak-user mailing list