OIDC v2 - PKCE questions

Mak, Steve makst at upenn.edu
Tue Nov 3 17:20:09 UTC 2020

Ok I think I figured it out.

I had to add this to the client json registration:


And to relying party override:


On 11/3/20, 10:42, "users on behalf of Mak, Steve" <users-bounces at shibboleth.net on behalf of makst at upenn.edu> wrote:

    Hi all, I have some OIDC PKCE questions.

    I'm trying to setup PKCE flows on my Shib Idp v4.0.1 w OIDC v2.0.0.

    I currently have the following setup in my client using apache v2.4/mod_auth_openidc:

        OIDCProviderMetadataURL MY_IDP/.well-known/openid-configuration
        OIDCProviderIssuer MY_IDP/idp/shibboleth
        OIDCClientID MY_SP_ID
        OIDCCryptoPassphrase whatever
        OIDCRedirectURI MY_SP/callback
        OIDCJWKSRefreshInterval 3600
        OIDCResponseType code
        OIDCScope "openid email profile"
        OIDCPassClaimsAs environment
        OIDCClaimPrefix USERINFO_
        OIDCPassIDTokenAs payload
        OIDCPKCEMethod S256

    I have the client registered in the idp with the following json (no client_secret):

        "grant_types": [
        "response_types": [
        "client_id": "MY_SP_ID",
        "redirect_uris": [
        "scope": "openid email profile"

    And this in idp relying-party:

        <util:list id="shibboleth.RelyingPartyOverrides">
            <bean parent="RelyingPartyByName" c:relyingPartyIds="MY_SP_ID">
                <property name="profileConfigurations">
                        <bean parent="OIDC.SSO" p:forcePKCE="true"/>

    When I try to do the OIDC auth flow I see that the client correctly sends a request to the idp's /authorize endpoint with
    scope=openid email profile

    I am then correctly presented with the credential challenge on the IdP.

    But once the IdP redirects me back to the MY_SP/callback I get an Error: OpenID Connect Provider error: Error in handling response type.

    This is the redirect back to /callback:

    code:giant code
    state=random1 from above


    Am I missing something in the IdP? It seems like the IdP is seeing the PKCE request but I can't tell if the IdP is issuing a PKCE response.

    I see this in the IdP logs after redirect back to SP/callback:
    Profile Action ValidateEndpointAuthentication: The client secret validation failed
    A non-proceed event occurred while processing the request: AccessDenied

    ^ Does this mean the SP is not using PKCE correctly?

    Am I missing something on the SP? I can't see the back channel calls with the authz code so I assume the code_challenge is supposed to be in there.

    Steve Mak

    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list