auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Keycloak Authorization PKCE s256/S256

Open jland-redhat opened this issue 1 year ago • 3 comments

Bug report

  • [ x] I confirm this is a bug with Supabase, not with my own application.
  • [ x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Keycloak accepts the the code challenge method "S256" (it is part of a drop down menu) but it seems like supabase has hardcoded it's challenge method to "s256"

So when a login is attempted Keycloak throws

PKCE enforced Client without code challenge method.

I was able to kinda work around this by exporting my realm and modifying the value in json to be "s256" which allowed my Keycloak server to accept the request, but then I got "CODE_TO_TOKEN_ERROR" on the keycloak side and 400 Bad Request\nResponse: {\"error\":\"invalid_grant on the auth side. Because I assume that keycloak does not know how to handle the token.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Set up Keycloak/Auth (I did using an operator on a Kubernetes environment)
  2. Authorize with SSO

Expected behavior

Happy path login

Screenshots

image

System information

Openshift 4.15

Additional context

It would be great if it used the .well-known/openid-configuration path to pull this information but I understand that would be a big ask.

Secondarily an it would be nice if there was an easy workaround that would just send the method with a capital s.

Also having a hard time finding the documentation on how to enable the plain workflow, that would at least give me a workaround for now.

jland-redhat avatar Apr 17 '24 17:04 jland-redhat

Hey @jland-redhat,

Thanks for reporting the issue and for patiently waiting. I'm not too familiar with Keycloak- is the requirement here for Keycloak to receive a URL that includes <url>/?<params...>&code_challenge=S256 ?

J0 avatar Jul 03 '24 14:07 J0

Hey @J0

So yeah exactly what you are saying, Keycloak is an authorization server and this is as much an issue on their side IMO. But their "allowed code challenges" are S256 and plain and if you pass in code_challenge=s256 it rejects it.

We ended up going in another direction but I am not sure if this is the low hanging fruit of just adding an extra value to your code_challenge_method enum inside your openapi.yaml contract or if there would be more to it than that. But figured I would bring it to y'all attention since Keycloak is a fairly popular auth option when using Openshift.

jland-redhat avatar Jul 04 '24 12:07 jland-redhat