Spring security client PKCE with Keycloak

Question

I have a Java application using Spring Security 5.2.1 and secured by Keycloak.
The client in Keycloak is a public openid-connect client.
It works fine.

I have now a requirement to use PKCE (Proof Key for Code Exchange).
As Client Support for PKCE has been added to Spring Security 5.2.0.M2 and as I use Spring Security 5.2.1, I can use Spring Security to implement it.
That's the good news.
The 'bad' news is that I found nearly nothing on the Web or in the Spring Security documentation on how I must implement it, practically. Adding "enable-pkce": true in keycloak.json doesn't work, and I don't find any clear example of what to do.

Is there some documentation, website or whatever else, describing what to do to implementsthis ?

Thank you very much !

Are you wondering how to implement this in the Spring client? — Eleftheria Stein-Kousathana, Apr 14 '20 at 19:31

score 2 · Accepted Answer · edited Jun 20 '20 at 09:12

2

From the Spring Security reference documentation https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#initiating-the-authorization-request

PKCE will automatically be used when the following conditions are true:

client-secret is omitted (or empty)

client-authentication-method is set to "none" (ClientAuthenticationMethod.NONE)

edited Jun 20 '20 at 09:12

Community

1
1

answered Apr 15 '20 at 15:22

Eleftheria Stein-Kousathana

5,871
1
21
34

Thanks for the answer, but I'm not sure I understand. I just set enable-pkce in my keycloak.json, that's all I changed. When I set PKE to S256 on my Keycloak client, my application doesn't work anymore, it loops forever while trying to redirect (HTTP 302) and in the Keycloak logs, I see a lot of this : (message in the next comment, no space anymore) – Sébastien Vandamme Apr 17 '20 at 12:38
INFO [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-32) PKCE enforced Client without code challenge method. WARN [org.keycloak.events] (default task-32) type=LOGIN_ERROR, realmId=someRealmId, clientId=someClientId, userId=null, ipAddress=11.11.11.11, error=invalid_request, response_type=code, redirect_uri=https://localhost/xxx/sso/login, response_mode=query – Sébastien Vandamme Apr 17 '20 at 12:43
One more information, I use Keycloak Spring Security adapter – Sébastien Vandamme Apr 17 '20 at 12:46

Spring security client PKCE with Keycloak

1 Answers1