OIDC v2 - PKCE questions

Mak, Steve makst at upenn.edu
Tue Nov 3 15:42:33 UTC 2020 

Hi all, I have some OIDC PKCE questions.

I'm trying to setup PKCE flows on my Shib Idp v4.0.1 w OIDC v2.0.0.

I currently have the following setup in my client using apache v2.4/mod_auth_openidc:

    OIDCProviderMetadataURL MY_IDP/.well-known/openid-configuration
    OIDCProviderIssuer MY_IDP/idp/shibboleth
    OIDCClientID MY_SP_ID
    OIDCCryptoPassphrase whatever
    OIDCRedirectURI MY_SP/callback
    OIDCJWKSRefreshInterval 3600
    OIDCResponseType code
    OIDCScope "openid email profile"
    OIDCPassClaimsAs environment
    OIDCClaimPrefix USERINFO_
    OIDCPassIDTokenAs payload
    OIDCPKCEMethod S256


I have the client registered in the idp with the following json (no client_secret):

{
    "grant_types": [
        "authorization_code"
    ],
    "response_types": [
        "code"
    ],
    "client_id": "MY_SP_ID",
    "redirect_uris": [
        "MY_SP/callback"
    ],
    "scope": "openid email profile"
}

And this in idp relying-party:

    <util:list id="shibboleth.RelyingPartyOverrides">
        <bean parent="RelyingPartyByName" c:relyingPartyIds="MY_SP_ID">
            <property name="profileConfigurations">
                <list>
                    <bean parent="OIDC.SSO" p:forcePKCE="true"/>
                </list>
            </property>
        </bean>
    </util:list>


When I try to do the OIDC auth flow I see that the client correctly sends a request to the idp's /authorize endpoint with
response_type=code
scope=openid email profile
client_id=MY_SP_ID
state=random1
redirect_uri=MY_SP/callback
nonce=nonce
code_challenge=random2
code_challenge_method=S256

I am then correctly presented with the credential challenge on the IdP.

But once the IdP redirects me back to the MY_SP/callback I get an Error: OpenID Connect Provider error: Error in handling response type.

This is the redirect back to /callback:

code:giant code
state=random1 from above



Questions:

Am I missing something in the IdP? It seems like the IdP is seeing the PKCE request but I can't tell if the IdP is issuing a PKCE response.

I see this in the IdP logs after redirect back to SP/callback:
Profile Action ValidateEndpointAuthentication: The client secret validation failed
A non-proceed event occurred while processing the request: AccessDenied

^ Does this mean the SP is not using PKCE correctly?

Am I missing something on the SP? I can't see the back channel calls with the authz code so I assume the code_challenge is supposed to be in there.

Thanks,
Steve Mak

More information about the users mailing list