Oidc delegation pkce failure on Okta

[Abre Chase]

Hi All - 

I'm attempting to setup delegation from CAS 6.2.2 to Okta and have run into a problem.

The logs show: 

2020-09-15 23:55:49,201 DEBUG [org.pac4j.oidc.redirect.OidcRedirectionActionBuilder] - <Authentication request url: https://dev-233489.okta.com/oauth2/v1/authorize?scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A8444%2Fcas%2Flogin%2Fokta&state=TST-1-r6SHqooSo3qIITtnkhCDn0aLhoKRl0-R&code_challenge_method=S256&nonce=4NjpcwSH_PxBES2_SXTfeEku6BoDb1jqzsTfxNhsuqc&client_id=0oaz33kps1PVfeERs4x6&code_challenge=dPP8K0ENJEO5BGNv_ML0WarVa7zOLcbZgCJu45Ih5Co>

2020-09-15 23:55:49,640 DEBUG [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication response successful>

2020-09-15 23:55:50,150 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response: status=400, content={"error":"invalid_request","error_description":"PKCE code verifier is required when the token endpoint authentication method is 'NONE'."}

The CAS configuration is:

cas.authn.pac4j.oidc[0].generic.type=GENERIC

cas.authn.pac4j.oidc[0].generic.discoveryUri=https://dev-233489-admin.okta.com/.well-known/openid-configuration

cas.authn.pac4j.oidc[0].generic.maxClockSkew=600

cas.authn.pac4j.oidc[0].generic.scope=openid profile email

cas.authn.pac4j.oidc[0].generic.id=***

cas.authn.pac4j.oidc[0].generic.secret=***

cas.authn.pac4j.oidc[0].generic.useNonce=true

cas.authn.pac4j.oidc[0].generic.preferredJwsAlgorithm=RS256

Any idea why the authentication type is defaulting to none and not client_secret_basic?  I've tried adding both:

cas.authn.pac4j.oidc[0].generic.disablePkce=true

cas.authn.pac4j.oidc[0].generic.clientAuthenticationMethod=client_secret_basic

But no luck.

Thanks for any advice.  I've been looking at the code and pac4j source to try to figure out what is going on here but not having much luck.

Abre Chase

[Jérôme Rautureau]

Hi,

Maybe you can disable PKCE RFC support.

i have successfully patched myself 6.2.x branch :

cas.authn.pac4j.oidc[0].generic.useNonce=true

cas.authn.pac4j.oidc[0].generic.disable-pkce=true #(default is false)

I have started a pull request on CAS repo in order to provide this configuration key.

The issue comes from pac4j 4.0.3 (and Apereo CAS 6.2.1+) version, https://www.pac4j.org/docs/release-notes.html

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/72aad569-9c8f-4005-8487-69e7ddfbf1c5n%40apereo.org.

--

Jérôme Rautureau

[Jérôme Rautureau]

see the pr : https://github.com/apereo/cas/pull/4942

--

Jérôme Rautureau

[Abre Chase]

Thanks.  I will try building and running locally to test the changes.

I do think it would be good to also add support for the clientAuthenticationMethod setting.  Right now it looks like the code just picks the first in the list.

Abre

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/tCJWNyyUWlM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BM02YvOz45sUvZRbXeEoZNnHG9u7-8bjSTaHa4yJNSU9Q1yvQ%40mail.gmail.com.