OIDC v2 - PKCE questions
makst at upenn.edu
Tue Nov 3 15:42:33 UTC 2020
Hi all, I have some OIDC PKCE questions.
I'm trying to setup PKCE flows on my Shib Idp v4.0.1 w OIDC v2.0.0.
I currently have the following setup in my client using apache v2.4/mod_auth_openidc:
OIDCScope "openid email profile"
I have the client registered in the idp with the following json (no client_secret):
"scope": "openid email profile"
And this in idp relying-party:
<bean parent="RelyingPartyByName" c:relyingPartyIds="MY_SP_ID">
<bean parent="OIDC.SSO" p:forcePKCE="true"/>
When I try to do the OIDC auth flow I see that the client correctly sends a request to the idp's /authorize endpoint with
scope=openid email profile
I am then correctly presented with the credential challenge on the IdP.
But once the IdP redirects me back to the MY_SP/callback I get an Error: OpenID Connect Provider error: Error in handling response type.
This is the redirect back to /callback:
state=random1 from above
Am I missing something in the IdP? It seems like the IdP is seeing the PKCE request but I can't tell if the IdP is issuing a PKCE response.
I see this in the IdP logs after redirect back to SP/callback:
Profile Action ValidateEndpointAuthentication: The client secret validation failed
A non-proceed event occurred while processing the request: AccessDenied
^ Does this mean the SP is not using PKCE correctly?
Am I missing something on the SP? I can't see the back channel calls with the authz code so I assume the code_challenge is supposed to be in there.
More information about the users