OIDC v2 - PKCE questions

Mak, Steve makst at upenn.edu
Tue Nov 3 15:42:33 UTC 2020

Hi all, I have some OIDC PKCE questions.

I'm trying to setup PKCE flows on my Shib Idp v4.0.1 w OIDC v2.0.0.

I currently have the following setup in my client using apache v2.4/mod_auth_openidc:

    OIDCProviderMetadataURL MY_IDP/.well-known/openid-configuration
    OIDCProviderIssuer MY_IDP/idp/shibboleth
    OIDCCryptoPassphrase whatever
    OIDCRedirectURI MY_SP/callback
    OIDCJWKSRefreshInterval 3600
    OIDCResponseType code
    OIDCScope "openid email profile"
    OIDCPassClaimsAs environment
    OIDCClaimPrefix USERINFO_
    OIDCPassIDTokenAs payload
    OIDCPKCEMethod S256

I have the client registered in the idp with the following json (no client_secret):

    "grant_types": [
    "response_types": [
    "client_id": "MY_SP_ID",
    "redirect_uris": [
    "scope": "openid email profile"

And this in idp relying-party:

    <util:list id="shibboleth.RelyingPartyOverrides">
        <bean parent="RelyingPartyByName" c:relyingPartyIds="MY_SP_ID">
            <property name="profileConfigurations">
                    <bean parent="OIDC.SSO" p:forcePKCE="true"/>

When I try to do the OIDC auth flow I see that the client correctly sends a request to the idp's /authorize endpoint with
scope=openid email profile

I am then correctly presented with the credential challenge on the IdP.

But once the IdP redirects me back to the MY_SP/callback I get an Error: OpenID Connect Provider error: Error in handling response type.

This is the redirect back to /callback:

code:giant code
state=random1 from above


Am I missing something in the IdP? It seems like the IdP is seeing the PKCE request but I can't tell if the IdP is issuing a PKCE response.

I see this in the IdP logs after redirect back to SP/callback:
Profile Action ValidateEndpointAuthentication: The client secret validation failed
A non-proceed event occurred while processing the request: AccessDenied

^ Does this mean the SP is not using PKCE correctly?

Am I missing something on the SP? I can't see the back channel calls with the authz code so I assume the code_challenge is supposed to be in there.

Steve Mak

More information about the users mailing list