How to configure keycloak-(nodejs-)connect to use PKCE?

Question

I have an express app that I want to secure with keycloak-connect. I have not found any documentation or examples of how to set up an Authorization Code Flow with PKCE in this middleware.

I think I have configured Keycloak (IDP) correctly, because authentication from the app fails due to the middleware not transmitting neither code_challenge nor code_challenge_method parameters, which the auth server rejects:

auth_callback
    1
error
    invalid_request
error_description
    Missing parameter: code_challenge_method
state
    b720bdf4-daf8-4aa7-8525-be02404396a6

Middleware configuration:

{
    realm: 'SomeRealm',
    'auth-server-url': 'https://auth-server.url/auth/',
    'ssl-required': 'all',
    resource: 'Some-client-ID',
    'public-client': true,
    'confidential-port': 0,
}

Is keycloak-connect even capable of utilising this flow?

Matthias Wiedemann · Accepted Answer · 2021-05-11T15:58:26.397

3

keycloak-connect does not support PKCE as of now.

See the discussion I found at https://keycloak.discourse.group/t/keycloak-connect-node-js-pkce/8285 There someone suggests to switch to another library, which supports PKCE (i.e. node-openid-client)

Regarding the server configuration, I guess you followed https://www.keycloak.org/docs/latest/server_admin/#advanced-settings and section about PKCE, so that should be working as expected.

edited May 11 '21 at 15:58

answered May 11 '21 at 15:51

Matthias Wiedemann

1,313
12
22

I managed to get it to work by using the `express-openid-connect` library :) Thanks for the info regarding keycloak-connect and PKCE – urbanhusky May 11 '21 at 16:45

How to configure keycloak-(nodejs-)connect to use PKCE?

1 Answers1