Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4956

Proof Key for Code Exchange: S256 code challenge generation is incorrect

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.1.0.CR1, 3.1.0.Final, 3.1.1.Final, 3.2.0.CR1
    • Fix Version/s: 3.2.0.CR1, 3.2.0.Final
    • Component/s: None
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Based on https://tools.ietf.org/html/rfc7636#section-4.2 It seems code challenge generation for S256 method is incorrect(implemented by this PR: https://github.com/keycloak/keycloak/pull/3831)

      code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

      Here SHA256 output is in binary format(byte array) not hex string.

      Others implementation of PKCE to comparison:
      https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce#2-create-a-code-challenge

      https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/CodeVerifierUtil.java#L137

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                bill.burke Bill Burke
                Reporter:
                mrezai Mohammad Rezai
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: