supabase / auth

A JWT based API for managing users and issuing JWT tokens

Home Page:https://supabase.com/docs/guides/auth

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Keycloak Authorization PKCE s256/S256

jland-redhat opened this issue · comments

Bug report

  • [ x] I confirm this is a bug with Supabase, not with my own application.
  • [ x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Keycloak accepts the the code challenge method "S256" (it is part of a drop down menu) but it seems like supabase has hardcoded it's challenge method to "s256"

So when a login is attempted Keycloak throws

PKCE enforced Client without code challenge method.

I was able to kinda work around this by exporting my realm and modifying the value in json to be "s256" which allowed my Keycloak server to accept the request, but then I got "CODE_TO_TOKEN_ERROR" on the keycloak side and 400 Bad Request\nResponse: {\"error\":\"invalid_grant on the auth side. Because I assume that keycloak does not know how to handle the token.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Set up Keycloak/Auth (I did using an operator on a Kubernetes environment)
  2. Authorize with SSO

Expected behavior

Happy path login

Screenshots

image

System information

Openshift 4.15

Additional context

It would be great if it used the .well-known/openid-configuration path to pull this information but I understand that would be a big ask.

Secondarily an it would be nice if there was an easy workaround that would just send the method with a capital s.

Also having a hard time finding the documentation on how to enable the plain workflow, that would at least give me a workaround for now.