Hi, Maybe you can disable PKCE RFC support.
i have successfully patched myself 6.2.x branch : cas.authn.pac4j.oidc[0].generic.useNonce=true cas.authn.pac4j.oidc[0].generic.disable-pkce=true #(default is false) I have started a pull request on CAS repo in order to provide this configuration key. The issue comes from pac4j 4.0.3 (and Apereo CAS 6.2.1+) version, https://www.pac4j.org/docs/release-notes.html Le mer. 16 sept. 2020 à 14:01, Abre Chase <[email protected]> a écrit : > Hi All - > > I'm attempting to setup delegation from CAS 6.2.2 to Okta and have run > into a problem. > > The logs show: > > 2020-09-15 23:55:49,201 DEBUG > [org.pac4j.oidc.redirect.OidcRedirectionActionBuilder] - <Authentication > request url: > https://dev-233489.okta.com/oauth2/v1/authorize?scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A8444%2Fcas%2Flogin%2Fokta&state=TST-1-r6SHqooSo3qIITtnkhCDn0aLhoKRl0-R&code_challenge_method=S256&nonce=4NjpcwSH_PxBES2_SXTfeEku6BoDb1jqzsTfxNhsuqc&client_id=0oaz33kps1PVfeERs4x6&code_challenge=dPP8K0ENJEO5BGNv_ML0WarVa7zOLcbZgCJu45Ih5Co > > > > 2020-09-15 23:55:49,640 DEBUG > [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication > response successful> > > 2020-09-15 23:55:50,150 DEBUG > [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token > response: status=400, > content={"error":"invalid_request","error_description":"PKCE code verifier > is required when the token endpoint authentication method is 'NONE'."} > > The CAS configuration is: > > cas.authn.pac4j.oidc[0].generic.type=GENERIC > > cas.authn.pac4j.oidc[0].generic.discoveryUri= > https://dev-233489-admin.okta.com/.well-known/openid-configuration > > cas.authn.pac4j.oidc[0].generic.maxClockSkew=600 > > cas.authn.pac4j.oidc[0].generic.scope=openid profile email > > cas.authn.pac4j.oidc[0].generic.id=*** > > cas.authn.pac4j.oidc[0].generic.secret=*** > > cas.authn.pac4j.oidc[0].generic.useNonce=true > > cas.authn.pac4j.oidc[0].generic.preferredJwsAlgorithm=RS256 > > Any idea why the authentication type is defaulting to none and not > client_secret_basic? I've tried adding both: > > cas.authn.pac4j.oidc[0].generic.disablePkce=true > > > cas.authn.pac4j.oidc[0].generic.clientAuthenticationMethod=client_secret_basic > > But no luck. > > Thanks for any advice. I've been looking at the code and pac4j source to > try to figure out what is going on here but not having much luck. > > Abre Chase > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/72aad569-9c8f-4005-8487-69e7ddfbf1c5n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/72aad569-9c8f-4005-8487-69e7ddfbf1c5n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- Jérôme Rautureau -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BM02YuGxMdwH7nfFMdhYj1d_uJE5UFvtf0QQPLKt7tMPLzGQA%40mail.gmail.com.
