Identity Provider that requires PKCS
-
I'm trying to integrate an external identity provider that requires the Authorization Code Grand and a PKCE challenge method with S256.
I added the identity provider to FusionAuth, and the login window correctly shows the "Login with <my provider>" button, but I only get an "code challenge required" error back from this identity provider once I click the button.
Inspecting the call made to the identity provider I can see that the
client_id,redirect_url,response_typeandscopequery parameters are correctly set, butcode_challengeandcode_challenge_methodare missing (those are required according to the identity provider's documentation).Is there a way to enable PKCS for identity providers in FusionAuth?
-
What is the external identity provider (if you can share)?
Most identity providers I know of use the
noncewhich is part of OIDC, rather than PKCE.Which identity provider are you trying to configure within FusionAuth (OIDC, external JWT)?
-
@dan Thank you for the quick reply.
The identity provider is a client's instance of https://www.miniorange.com, and I'm trying to add it in
Settings -> Identity Providers -> Add provider -> OpenID Connect. -
Hiya,
I looked around and we don't support PKCE for identity providers.
Can you please open a github issue for this feature: https://github.com/fusionauth/fusionauth-issues/issues
You can reference this forum post if you'd like.
The only workaround I can think of is to try to turn off the PKCE requirement for miniorange. I don't have access to that IDP so I can't give guidance on how to do so, but if you figure it out, please share :).
Thanks,
Dan -
@dan I'll go back to the client and see if PKCE can be disabled, but I'm not getting my hopes up…
For reference, the GitHub issue can be found here: https://github.com/FusionAuth/fusionauth-issues/issues/968
