From 4484b70c193b63d44d74a2e6d75ec59b86ccadc3 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Fri, 10 Apr 2026 16:53:17 +0200
Subject: [PATCH] Disable PKCE on ecosplay_code client (Gitea compat)

Gitea 1.25.5 and earlier do not send PKCE code_challenge_method
on OIDC sources, so enforcing PKCE in Keycloak causes:

  Missing parameter: code_challenge_method

at the /auth endpoint. Drop the pkce.code.challenge.method
attribute from the ecosplay_code client block in the realm
import JSON, and add a set_client_pkce helper to sync.sh that
clears the attribute on existing installs. All other clients
(ecosplay_web, eticket) keep S256.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 init/sync.sh               | 17 ++++++++++++++++-
 realms/ecosplay-realm.json |  5 ++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/init/sync.sh b/init/sync.sh
index beac78c..4a62108 100755
--- a/init/sync.sh
+++ b/init/sync.sh
@@ -173,6 +173,19 @@ set_client_uris() {
     info "  client $2 URIs synced ($1)"
 }
 
+set_client_pkce() {
+    # $1=realm $2=clientId $3=method ("S256", "plain", or "" to disable)
+    local cid
+    cid=$(client_internal_id "$1" "$2")
+    if [ -z "$cid" ]; then
+        warn "client $2 not found in $1, skipping PKCE update"
+        return
+    fi
+    $KC update "clients/$cid" -r "$1" \
+        -s "attributes.\"pkce.code.challenge.method\"=$3" >/dev/null
+    info "  client $2 PKCE method set to '${3:-none}' ($1)"
+}
+
 ensure_client() {
     # $1=realm $2=clientId $3=name $4=description $5=secret
     # $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated)
@@ -336,7 +349,7 @@ if realm_exists ecosplay; then
 
     log "Reconciling ecosplay_code client"
     ensure_client ecosplay ecosplay_code "E-Cosplay Code" \
-        "Forge de code (Gitea) - login SSO via ecosplay_code provider" \
+        "Forge de code (Gitea) - login SSO via ecosplay_code provider (Gitea ne supporte pas PKCE)" \
         "change-me-in-admin-console" \
         '["https://code.e-cosplay.fr/user/oauth2/ecosplay_code/callback","https://cos.local/user/oauth2/ecosplay_code/callback"]' \
         '["https://code.e-cosplay.fr","https://cos.local"]' \
@@ -345,6 +358,8 @@ if realm_exists ecosplay; then
         '["https://code.e-cosplay.fr/user/oauth2/ecosplay_code/callback","https://cos.local/user/oauth2/ecosplay_code/callback"]' \
         '["https://code.e-cosplay.fr","https://cos.local"]' \
         'https://code.e-cosplay.fr/*##https://cos.local/*'
+    # Gitea does not support PKCE on OIDC sources, disable the requirement
+    set_client_pkce ecosplay ecosplay_code ""
 else
     warn "ecosplay realm not found — will be imported on next boot"
 fi
diff --git a/realms/ecosplay-realm.json b/realms/ecosplay-realm.json
index ef4cb84..fce566f 100644
--- a/realms/ecosplay-realm.json
+++ b/realms/ecosplay-realm.json
@@ -120,7 +120,7 @@
     {
       "clientId": "ecosplay_code",
       "name": "E-Cosplay Code",
-      "description": "Forge de code (Gitea) - login SSO via ecosplay_code provider",
+      "description": "Forge de code (Gitea) - login SSO via ecosplay_code provider (Gitea ne supporte pas PKCE)",
       "enabled": true,
       "publicClient": false,
       "secret": "change-me-in-admin-console",
@@ -139,8 +139,7 @@
       "serviceAccountsEnabled": false,
       "frontchannelLogout": true,
       "attributes": {
-        "post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*",
-        "pkce.code.challenge.method": "S256"
+        "post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*"
       }
     },
     {