PKCE doesn't work after upgrade to NC28.0.2 and user_oidc > 1.3.6

Question

PKCE doesn't work after upgrade to NC28.0.2 and user_oidc > 1.3.6

Opened this issue 6 months ago · 3 comments

I have successfully integrated NC 28.0.1 and user_oidc 1.3.5 with zitadel IdP using PKCE (empty client secret).
While I upgraded my dev environment to NC 28.0.2 and "integrated" user_oidc upgrade to 1.3.6 the integration stopped working.

reviewing release notes I found #740 which introduce a new setting making PKCE optional. so added the new parameter

use_pkce = true to my config using occ config:app:set --value=true user_oidc use_pkce but still no luck logging in. login process fails with this error:

if I use same IdP with "client authentication" (client_id + client_secret) login is successful.

Please advice how to make PKCE work especially considering PKCE is the "preferred" variant

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-16#section-2.1.1

Clients MUST prevent injection (replay) of authorization codes into the authorization response by attackers. Public clients MUST use PKCE [RFC7636] to this end. For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED.

occ config:list user_oidc
{
    "apps": {
        "user_oidc": {
            "allow_multiple_user_backends": "0",
            "enabled": "yes",
            "id4me_enabled": "0",
            "installed_version": "5.0.1",
            "provider-7-jwksCache": "",
            "provider-7-jwksCacheTimestamp": "",
            "provider-8-bearerProvisioning": "0",
            "provider-8-checkBearer": "0",
            "provider-8-extraClaims": "preferred_username",
            "provider-8-groupProvisioning": "1",
            "provider-8-jwksCache": ***SENSITIVE VALUE***,
            "provider-8-mappingAddress": "",
            "provider-8-mappingAvatar": "",
            "provider-8-mappingBiography": "",
            "provider-8-mappingCountry": "",
            "provider-8-mappingDisplayName": "",
            "provider-8-mappingEmail": "",
            "provider-8-mappingFediverse": "",
            "provider-8-mappingGender": "",
            "provider-8-mappingGroups": "x-grants",
            "provider-8-mappingHeadline": "",
            "provider-8-mappingLocality": "",
            "provider-8-mappingOrganisation": "",
            "provider-8-mappingPhonenumber": "",
            "provider-8-mappingPostalcode": "",
            "provider-8-mappingQuota": "",
            "provider-8-mappingRegion": "",
            "provider-8-mappingRole": "",
            "provider-8-mappingStreetaddress": "",
            "provider-8-mappingTwitter": "",
            "provider-8-mappingUid": "preferred_username",
            "provider-8-mappingWebsite": "",
            "provider-8-providerBasedId": "0",
            "provider-8-sendIdTokenHint": "0",
            "provider-8-uniqueUid": "0",
            "types": "authentication",
            "use_pkce": "true"
        }
    }
}

Answer 1 · 2024-03-06T20:41:00.000Z

I'm not sure if the command occ config:app:set --value=true user_oidc use_pkce writes a string value and not boolean. unfortunately occ config:app:set doesn't support --type=boolean as occ config:system:set does..

I'm little surprised but the config doesn't end in the config.php (community docker) so I'm unsure how to verify if the setting was applied in the right way.

Answer 2 · 2024-04-23T15:42:00.000Z

Hi, I'm using PKCE and I had to set it as a system setting:
occ config:system:set --value=true --type=boolean user_oidc use_pkce
This will add the array and enable PKCE.

Answer 3 · 2024-06-27T20:29:03.000Z

thank you! it looks system in occ config:system:set does the trick! Just tested and PCKE seems to work.

but nevertheless it should be enabled by default ->> #807