Disable PKCE on ecosplay_code client (Gitea compat)
Gitea 1.25.5 and earlier do not send PKCE code_challenge_method on OIDC sources, so enforcing PKCE in Keycloak causes: Missing parameter: code_challenge_method at the /auth endpoint. Drop the pkce.code.challenge.method attribute from the ecosplay_code client block in the realm import JSON, and add a set_client_pkce helper to sync.sh that clears the attribute on existing installs. All other clients (ecosplay_web, eticket) keep S256. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
17
init/sync.sh
17
init/sync.sh
@@ -173,6 +173,19 @@ set_client_uris() {
|
||||
info " client $2 URIs synced ($1)"
|
||||
}
|
||||
|
||||
set_client_pkce() {
|
||||
# $1=realm $2=clientId $3=method ("S256", "plain", or "" to disable)
|
||||
local cid
|
||||
cid=$(client_internal_id "$1" "$2")
|
||||
if [ -z "$cid" ]; then
|
||||
warn "client $2 not found in $1, skipping PKCE update"
|
||||
return
|
||||
fi
|
||||
$KC update "clients/$cid" -r "$1" \
|
||||
-s "attributes.\"pkce.code.challenge.method\"=$3" >/dev/null
|
||||
info " client $2 PKCE method set to '${3:-none}' ($1)"
|
||||
}
|
||||
|
||||
ensure_client() {
|
||||
# $1=realm $2=clientId $3=name $4=description $5=secret
|
||||
# $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated)
|
||||
@@ -336,7 +349,7 @@ if realm_exists ecosplay; then
|
||||
|
||||
log "Reconciling ecosplay_code client"
|
||||
ensure_client ecosplay ecosplay_code "E-Cosplay Code" \
|
||||
"Forge de code (Gitea) - login SSO via ecosplay_code provider" \
|
||||
"Forge de code (Gitea) - login SSO via ecosplay_code provider (Gitea ne supporte pas PKCE)" \
|
||||
"change-me-in-admin-console" \
|
||||
'["https://code.e-cosplay.fr/user/oauth2/ecosplay_code/callback","https://cos.local/user/oauth2/ecosplay_code/callback"]' \
|
||||
'["https://code.e-cosplay.fr","https://cos.local"]' \
|
||||
@@ -345,6 +358,8 @@ if realm_exists ecosplay; then
|
||||
'["https://code.e-cosplay.fr/user/oauth2/ecosplay_code/callback","https://cos.local/user/oauth2/ecosplay_code/callback"]' \
|
||||
'["https://code.e-cosplay.fr","https://cos.local"]' \
|
||||
'https://code.e-cosplay.fr/*##https://cos.local/*'
|
||||
# Gitea does not support PKCE on OIDC sources, disable the requirement
|
||||
set_client_pkce ecosplay ecosplay_code ""
|
||||
else
|
||||
warn "ecosplay realm not found — will be imported on next boot"
|
||||
fi
|
||||
|
||||
@@ -120,7 +120,7 @@
|
||||
{
|
||||
"clientId": "ecosplay_code",
|
||||
"name": "E-Cosplay Code",
|
||||
"description": "Forge de code (Gitea) - login SSO via ecosplay_code provider",
|
||||
"description": "Forge de code (Gitea) - login SSO via ecosplay_code provider (Gitea ne supporte pas PKCE)",
|
||||
"enabled": true,
|
||||
"publicClient": false,
|
||||
"secret": "change-me-in-admin-console",
|
||||
@@ -139,8 +139,7 @@
|
||||
"serviceAccountsEnabled": false,
|
||||
"frontchannelLogout": true,
|
||||
"attributes": {
|
||||
"post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*",
|
||||
"pkce.code.challenge.method": "S256"
|
||||
"post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user