PKCE verification failed

[BiancaRapp]

Jenkins and plugins versions report

Environment

Jenkins: 2.440.2
OS: Linux - 5.15.0-91-generic
Java: 17.0.10 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
analysis-model-api:12.1.0
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7-33.v4d23ef79fcc8
atlassian-bitbucket-server-integration:4.0.0
authentication-tokens:1.53.v1c90fd9191a_b_
bitbucket-scm-filter-aged-refs:31.ve3b_ca_fc71d5b_
blueocean:1.27.11
blueocean-bitbucket-pipeline:1.27.11
blueocean-commons:1.27.11
blueocean-config:1.27.11
blueocean-core-js:1.27.11
blueocean-dashboard:1.27.11
blueocean-display-url:2.4.2
blueocean-events:1.27.11
blueocean-git-pipeline:1.27.11
blueocean-github-pipeline:1.27.11
blueocean-i18n:1.27.11
blueocean-jwt:1.27.11
blueocean-personalization:1.27.11
blueocean-pipeline-api-impl:1.27.11
blueocean-pipeline-editor:1.27.11
blueocean-pipeline-scm-api:1.27.11
blueocean-rest:1.27.11
blueocean-rest-impl:1.27.11
blueocean-web:1.27.11
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9
branch-api:2.1152.v6f101e97dd77
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.0
cloud-stats:336.v788e4055508b_
cloudbees-bitbucket-branch-source:883.v041fa_695e9c2
cloudbees-folder:6.901.vb_4c7a_da_75da_3
cobertura:1.17
code-coverage-api:4.99.0
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-95.v22a_d30ee5d36
configuration-as-code:1775.v810dc950b_514
coverage:1.13.0
credentials:1337.v60b_d7b_c7b_c9f
credentials-binding:657.v2b_19db_7d6e6d
data-tables-api:2.0.3-1
dependency-track:4.3.1
display-url-api:2.200.vb_9327d658781
docker-commons:439.va_3cb_0a_6a_fb_29
docker-workflow:572.v950f58993843
durable-task:550.v0930093c4b_a_6
echarts-api:5.5.0-1
favorite:2.208.v91d65b_7792a_c
font-awesome-api:6.5.1-3
forensics-api:2.4.0
git:5.2.1
git-client:4.7.0
github:1.38.0
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1785.v99802b_69816c
groovy:457.v99900cb_85593
gson-api:2.10.1-15.v0d99f670e0a_7
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
hetzner-cloud:84.v8acf5510fd35
htmlpublisher:1.33
instance-identity:185.v303dc7c645f9
ionicons-api:70.v2959a_b_74e3cf
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jenkins-design-language:1.27.11
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
job-dsl:1.87
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery3-api:3.7.1-2
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1265.v65b_14fa_f12f0
kubernetes:4203.v1dd44f5b_1cf9
kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2
kubernetes-credentials:0.11
kubernetes-credentials-provider:1.262.v2670ef7ea_0c5
mailer:472.vf7c289a_4b_420
matrix-auth:3.2.2
matrix-project:822.824.v14451b_c0fd42
metrics:4.2.21-449.v6960d7c54c69
mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd
mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd
oic-auth:4.227.v36610663f760
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:704.vc58b_8890a_384
pipeline-input-step:491.vb_07d21da_1a_fb_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2184.v0b_358b_953e69
pipeline-model-definition:2.2184.v0b_358b_953e69
pipeline-model-extensions:2.2184.v0b_358b_953e69
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2184.v0b_358b_953e69
plain-credentials:179.vc5cb_98f6db_38
plugin-util-api:4.1.0
prism-api:1.29.0-13
pubsub-light:1.18
scm-api:689.v237b_6d3a_ef7f
script-security:1326.vdb_c154de8669
slack:684.v833089650554
snakeyaml-api:2.2-111.vc6598e30cc65
sse-gateway:1.26
ssh-agent:346.vda_a_c4f2c8e50
ssh-credentials:337.v395d2403ccd4
ssh-slaves:2.948.vb_8050d697fec
sshd:3.322.v159e91f6a_550
structs:337.v1b_04ea_4df7c8
token-macro:400.v35420b_922dcb_
trilead-api:2.142.v748523a_76693
uno-choice:2.8.3
variant:60.v7290fc0eb_b_cd
warnings-ng:11.2.2
workflow-aggregator:596.v8c21c963d92d
workflow-api:1291.v51fd2a_625da_7
workflow-basic-steps:1049.v257a_e6b_30fb_d
workflow-cps:3894.vd0f0248b_a_fc4
workflow-durable-task-step:1336.v768003e07199
workflow-job:1400.v7fd111b_ec82f
workflow-multibranch:773.vc4fe1378f1d5
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:657.v03b_e8115821b_
workflow-support:896.v175a_a_9c5b_78f

What Operating System are you using (both controller, and any agents involved in the problem)?

official jenkins container

Reproduction steps

1. Step 1: Update oic-auth from 4.227.v36610663f760 to 4.228.v0c3e8682ff1f with pkceEnabled=true
2. Step 2: Open jenkins and login with oidc

Expected Results

You are logged in as usual.

Actual Results

You are not logged in and in the logs you get the error:

WARNING	h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID ...
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
POST https://KEYCLOAK_URL/realms/REALM/protocol/openid-connect/token
{
  "error": "invalid_grant",
  "error_description": "PKCE verification failed"
}

Anything else?

We use Keycloak as OIDC backend, version 24.0.2.
We had pkceEnabled=true until now and it worked so far.
It also doesn't work in the newest version. With pkceEnabled=false everything works as usual with the newest version.

Are you interested in contributing a fix?

No response

[michael-doubez]

Thanks for the very good issue report.

At a guess, it is an issue with PKCE challenge context in #288.

Thinking it through, I guess it must be serialized in the session context, just like the nonce.

[michael-doubez]

I won't be able to provide a fix until Sunday at best.

[michael-doubez]

Fixed in v4.236.v4124503b_a_f88

[toabi]

Tested in our setup. It works again! Thanks for this quick resolution.