RE: Identity Provider that requires PKCS

@dan I'll go back to the client and see if PKCE can be disabled, but I'm not getting my hopes up…

For reference, the GitHub issue can be found here: https://github.com/FusionAuth/fusionauth-issues/issues/968

Got the right answer in the Slack channel – I needed to update the theme templates too

I recently upgraded from an old FusionAuth version around 1.19 to 1.40.2. Because it is a one node installation, I also changed the search from elastic to database (PostgreSQL).
Everything went smoothly, but since the upgrade the password reset (and the setup password) links always show a "Your password reset code has expired or is invalid" error.

I've updated the email templates to include the new query params:

[#setting url_escaping_charset="UTF-8"]
[#assign url = "https://my.fusionauth.url/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /]
[#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
${url}

which results in an URL looking like this:

https://my.fusionauth.url/password/change/<some_code>?client_id=<some_id>&tenantId=<some_id>&metaData.device.name=macOS%20Chrome&metaData.device.type=BROWSER&redirect_uri=https%3A%2F%2Fmy.fusionauth.url%2Ftorii%2Fredirect.html&response_type=code&state=<some_state>&timezone=Europe%2FBerlin

Things I have tried/checked:

• Updated the email templates (see above)
• Checked if the clock/time on the FusionAuth server is in sync with NTP
• Increased the "External identifier durations" for "Change password" and "Setup password" to 24 hours (86400 seconds)
• Tested with different applications, accounts, browsers, and operating systems
• Checked the logs (nothing to see there)

What else could be the reason, and how can I fix this? Any help is appreciated.

@dan I'll go back to the client and see if PKCE can be disabled, but I'm not getting my hopes up…

For reference, the GitHub issue can be found here: https://github.com/FusionAuth/fusionauth-issues/issues/968

@dan Thank you for the quick reply.

The identity provider is a client's instance of https://www.miniorange.com, and I'm trying to add it in Settings -> Identity Providers -> Add provider -> OpenID Connect.

I'm trying to integrate an external identity provider that requires the Authorization Code Grand and a PKCE challenge method with S256.

I added the identity provider to FusionAuth, and the login window correctly shows the "Login with <my provider>" button, but I only get an "code challenge required" error back from this identity provider once I click the button.

Inspecting the call made to the identity provider I can see that the client_id, redirect_url, response_type and scope query parameters are correctly set, but code_challenge and code_challenge_method are missing (those are required according to the identity provider's documentation).

Is there a way to enable PKCS for identity providers in FusionAuth?