PKCE Code Verifier Issue on CAS 6.2.8 and Build Failures During Upgrade to 6.4.6
92 views
Skip to first unread message
Preethy Venkat
Oct 6, 2025, 11:25:27 PM (13 days ago) Oct 6
to CAS Community
Hi CAS Team,
We are currently facing an issue with CAS 6.2.8 while integrating with Microsoft Entra ID (Azure AD) for OIDC authentication. The flow fails during PKCE verification with the following error from Azure:
AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request.
We understand that PKCE compliance is improved in later CAS versions, so we attempted to upgrade our deployment to CAS 6.4.6 to align with Microsoft requirements. However, our Gradle-based build pipeline failed repeatedly due to dependency resolution conflicts and version mismatches, preventing a successful build.
We would like to raise a ticket to get guidance on the following:
- Which CAS version fully supports PKCE for Azure AD integration
- Recommended dependency or Gradle configuration adjustments when upgrading from 6.2.8 to 6.4.x or newer
Environment:
- CAS version: 6.2.8
- Target upgrade version: 6.4.6
- Java: 11
- Spring Boot: 2.2.8.RELEASE
- Build Tool: Gradle
- Integration: Microsoft Entra ID (Azure AD)
We can share sanitized logs or dependency trees if required.
Any help or direction from the CAS community would be appreciated.
We are currently facing an issue with CAS 6.2.8 while integrating with Microsoft Entra ID (Azure AD) for OIDC authentication. The flow fails during PKCE verification with the following error from Azure:
AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request.
We understand that PKCE compliance is improved in later CAS versions, so we attempted to upgrade our deployment to CAS 6.4.6 to align with Microsoft requirements. However, our Gradle-based build pipeline failed repeatedly due to dependency resolution conflicts and version mismatches, preventing a successful build.
We would like to raise a ticket to get guidance on the following:
- Which CAS version fully supports PKCE for Azure AD integration
- Recommended dependency or Gradle configuration adjustments when upgrading from 6.2.8 to 6.4.x or newer
Environment:
- CAS version: 6.2.8
- Target upgrade version: 6.4.6
- Java: 11
- Spring Boot: 2.2.8.RELEASE
- Build Tool: Gradle
- Integration: Microsoft Entra ID (Azure AD)
We can share sanitized logs or dependency trees if required.
Any help or direction from the CAS community would be appreciated.
Thanks,
Preethy Venkat
Ray Bon
Oct 7, 2025, 2:54:13 PM (13 days ago) Oct 7
to cas-...@apereo.org
Preethy,
I suggest you move to the latest version 7.2.x or 7.3 [1]
You will have to verify configuration properties since some names have changed; and regenerate some keys because minimum key lengths have changed; and update any custom code.
Java and tomcat will also have to be upgraded.
You can build with (even if you have custom code):
./gradlew build
What kind of build process are you using?
It is very possible that the problem you are having has been fixed in the intervening years. [2]
Ray
Note: you do not need to go through a stepwise upgrade process.
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Preethy Venkat <preev...@gmail.com>
Sent: October 6, 2025 18:09
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] PKCE Code Verifier Issue on CAS 6.2.8 and Build Failures During Upgrade to 6.4.6
Sent: October 6, 2025 18:09
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] PKCE Code Verifier Issue on CAS 6.2.8 and Build Failures During Upgrade to 6.4.6
|
You don't often get email from preev...@gmail.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ba9df2d-3cc8-4cf9-b7d6-3829907e365cn%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ba9df2d-3cc8-4cf9-b7d6-3829907e365cn%40apereo.org.
Reply all
Reply to author
Forward
0 new messages