Keycloak Authorization PKCE s256/S256
jland-redhat opened this issue · comments
Bug report
- [ x] I confirm this is a bug with Supabase, not with my own application.
- [ x] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
Keycloak accepts the the code challenge method "S256" (it is part of a drop down menu) but it seems like supabase has hardcoded it's challenge method to "s256"
So when a login is attempted Keycloak throws
PKCE enforced Client without code challenge method.
I was able to kinda work around this by exporting my realm and modifying the value in json to be "s256" which allowed my Keycloak server to accept the request, but then I got "CODE_TO_TOKEN_ERROR" on the keycloak side and 400 Bad Request\nResponse: {\"error\":\"invalid_grant
on the auth side. Because I assume that keycloak does not know how to handle the token.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
- Set up Keycloak/Auth (I did using an operator on a Kubernetes environment)
- Authorize with SSO
Expected behavior
Happy path login
Screenshots
System information
Openshift 4.15
Additional context
It would be great if it used the .well-known/openid-configuration
path to pull this information but I understand that would be a big ask.
Secondarily an it would be nice if there was an easy workaround that would just send the method with a capital s
.
Also having a hard time finding the documentation on how to enable the plain workflow, that would at least give me a workaround for now.