You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The consent page, while calling /authorize endpoint, does not pass all parameters from original request. This causes the PKCE's code_challenge and code_challenge_method parameters to be missing, resulting in an error from the authorization endpoint,
Steps to Reproduce
Enable proofKeyForCodeExchange and publicClient for the registered OpenID Connect Client at the Liberty's Provider. Attempt to access a protected resource, then the request to the /authorize endpoint will contain the PKCE's code_challenge and code_challenge_method parameters. The consent page should be displayed. User consents. Then, Liberty OP's /authorize endpoint will return a response with an "error" and "error_description" with the CWOAU0033E message.
Expected behavior
The PKCE's parameters should be accepted.
Diagnostic information:
OpenLiberty Version: [e.g. 21.0.0.8 - 21.0.0.10]
Affected feature(s) openidConnectServer-1.0
Java Version: [i.e. full output of java -version]
server.xml configuration (WITHOUT sensitive information like passwords)
If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
hi, there is one more prerequisition while reproducing the bug: client must not have preauthorized all scopes ("preauthorized_scope": "openid profile email phone"). it would skip the consent page.
Describe the bug
The consent page, while calling /authorize endpoint, does not pass all parameters from original request. This causes the PKCE's code_challenge and code_challenge_method parameters to be missing, resulting in an error from the authorization endpoint,
"CWOAU0033E%3A+A+required+runtime+parameter+was+missing%3A+code_challenge"
Steps to Reproduce
Enable proofKeyForCodeExchange and publicClient for the registered OpenID Connect Client at the Liberty's Provider. Attempt to access a protected resource, then the request to the /authorize endpoint will contain the PKCE's code_challenge and code_challenge_method parameters. The consent page should be displayed. User consents. Then, Liberty OP's /authorize endpoint will return a response with an "error" and "error_description" with the CWOAU0033E message.
Expected behavior
The PKCE's parameters should be accepted.
Diagnostic information:
java -version
]$WLP_OUTPUT_DIR/messages.log
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: