Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCE parameters not copied by oauthForm.js #22786

Closed
teddyjtorres opened this issue Oct 3, 2022 · 1 comment · Fixed by #23745
Closed

PKCE parameters not copied by oauthForm.js #22786

teddyjtorres opened this issue Oct 3, 2022 · 1 comment · Fixed by #23745
Assignees
@arunavemulapalli
Labels
release bug This bug is present in a released version of Open Liberty release:23001
Projects
Security SSO

Comments

@teddyjtorres
Copy link
Contributor

Describe the bug
The consent page, while calling /authorize endpoint, does not pass all parameters from original request. This causes the PKCE's code_challenge and code_challenge_method parameters to be missing, resulting in an error from the authorization endpoint,

"CWOAU0033E%3A+A+required+runtime+parameter+was+missing%3A+code_challenge"

Steps to Reproduce
Enable proofKeyForCodeExchange and publicClient for the registered OpenID Connect Client at the Liberty's Provider. Attempt to access a protected resource, then the request to the /authorize endpoint will contain the PKCE's code_challenge and code_challenge_method parameters. The consent page should be displayed. User consents. Then, Liberty OP's /authorize endpoint will return a response with an "error" and "error_description" with the CWOAU0033E message.

Expected behavior
The PKCE's parameters should be accepted.

Diagnostic information:

  • OpenLiberty Version: [e.g. 21.0.0.8 - 21.0.0.10]
  • Affected feature(s) openidConnectServer-1.0
  • Java Version: [i.e. full output of java -version]
  • server.xml configuration (WITHOUT sensitive information like passwords)
  • If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log

Additional context
Add any other context about the problem here.
@teddyjtorres teddyjtorres added the release bug This bug is present in a released version of Open Liberty label Oct 3, 2022
@rinkishimo
Copy link

hi, there is one more prerequisition while reproducing the bug: client must not have preauthorized all scopes ("preauthorized_scope": "openid profile email phone"). it would skip the consent page.

@ayoho ayoho added this to Backlog in Security SSO Oct 17, 2022
@arunavemulapalli arunavemulapalli self-assigned this Dec 20, 2022
@arunavemulapalli arunavemulapalli mentioned this issue Jan 5, 2023
Merged
Security SSO automation moved this from Backlog to Done Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arunavemulapalli arunavemulapalli

Labels
release bug This bug is present in a released version of Open Liberty release:23001
Projects
Security SSO
Status: Done
Security SSO
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

copy pkce parameters in oauth consent form arunavemulapalli/open-liberty
4 participants
@rinkishimo @teddyjtorres @arunavemulapalli @LibbyBot