Disable PKCE on ecosplay_code client (Gitea compat)

Gitea 1.25.5 and earlier do not send PKCE code_challenge_method on OIDC sources, so enforcing PKCE in Keycloak causes: Missing parameter: code_challenge_method at the /auth endpoint. Drop the pkce.code.challenge.method attribute from the ecosplay_code client block in the realm import JSON, and add a set_client_pkce helper to sync.sh that clears the attribute on existing installs. All other clients (ecosplay_web, eticket) keep S256. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:53:17 +02:00
parent 7d31714908
commit 4484b70c19
2 changed files with 18 additions and 4 deletions
--- a/realms/ecosplay-realm.json
+++ b/realms/ecosplay-realm.json
@@ -120,7 +120,7 @@
    {
      "clientId": "ecosplay_code",
      "name": "E-Cosplay Code",
-      "description": "Forge de code (Gitea) - login SSO via ecosplay_code provider",
+      "description": "Forge de code (Gitea) - login SSO via ecosplay_code provider (Gitea ne supporte pas PKCE)",
      "enabled": true,
      "publicClient": false,
      "secret": "change-me-in-admin-console",
@@ -139,8 +139,7 @@
      "serviceAccountsEnabled": false,
      "frontchannelLogout": true,
      "attributes": {
-        "post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*",
-        "pkce.code.challenge.method": "S256"
+        "post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*"
      }
    },
    {