jee-pac4j for Java 8 with PKCE support

[LV]

Hi,

I am a newbie to pac4j. Which version of jee-pac4j can be used for integrating with a system running Java 1.8 and supports PKCE? In the release notes for pac4j, I see that pac4j version 4.0.3 has PKCE support. Does jee-pac4j version 5.0.0 provide this?

Thanks,

LV

[Jérôme LELEU]

Hi,

You should use jee-pac4j v5.0.0 and pac4j v4.5.0.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/616482d4-c36d-48f0-8822-d110688ca345n%40googlegroups.com.

[LV]

Hi,

I forgot to mention that this is for OIDC with PKCE. Just to confirm that jee-pac4j v5.0.0 and pac4j v4.5.0is the one to use.

Thanks,

LV

[LV]

Hi,

The customer requirement is that there will not be any Client Secret for OIDC with PKCE. An error is thrown when oidcConfiguration.setSecret() is not set (Note: Test code works when set to the provider's client secret value). I would appreciate any guidance/examples on how to setup to use PKCE.

Thanks,

LV

[Jérôme LELEU]

Hi,

Does it work with a fake secret?

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/42d0d7f4-2189-4420-a377-24b013c84ff6n%40googlegroups.com.

[LV]

Hi,

It doesn't work when set with a fake secret either.

I set the following in a TestConfigFactory class  build() method  (maven set to use jee-pac4j v5.0.0 and pac4j v4.5.0 libraries):

oidcConfiguration.setClientId("the client ID>");

oidcConfiguration.setSecret("fakevalue");  // set to a fake value, not the real one

oidcConfiguration.setDiscoveryURI("<an Okta developer account URI>");

oidcConfiguration.setScope("openid email profile");

oidcConfiguration.setPkceMethod(CodeChallengeMethod.S256);

oidcConfiguration.setWithState(true);

oidcConfiguration.setPreferredJwsAlgorithm(JWSAlgorithm.RS256);

oidcConfiguration.setUseNonce(true);

final OidcClient<OidcConfiguration> oidcClient = new OidcClient<>(oidcConfiguration);

final Clients clients = new Clients("<the callback URL>", oidcClient); 
clients.init();
final Config config = new Config(clients);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));

return config;

The method executeTokenRequest() in OidcAuthenticator.java throws a TechnicalException: "Bad token response, error=invalid_client"

The error object has:  {"error":"invalid_client","error_description":"The client secret supplied for a confidential client is invalid."}

When I comment out oidcConfiguration.setPkceMethod(CodeChallengeMethod.S256); line and provide the actual secret value it works correctly. However, the app needs to be configured with PKCE.

Thanks,

LV

[LV]

Hi,

Any suggestions on how to configure for OIDC with PKCE using jee-pac4j v5.0.0 and pac4j v4.5.0? I have been unable to make it work. I do see the code challenge being sent in the request and the response coming back.

Thanks,

LV

[Jérôme LELEU]

Hi,

The secret should not be mandatory when using PKCE.

I think there is a bug currently with PKCE, I will investigate.

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/27bd2edf-1db3-4441-9b2a-4420b33efd50n%40googlegroups.com.

[Jérôme LELEU]

Hi,

Can you test with version 5.1.1-SNAPSHOT? It should work now.

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/27bd2edf-1db3-4441-9b2a-4420b33efd50n%40googlegroups.com.