Description
oidcc version
3.5.1
Erlang version
27.3.3
Elixir version
1.18.3
Summary
Under certain circumstances, the PAR request to Keycloak will fail. This seems to be partially related to #391, or at least that issue pointed me in the right direction.
Keycloak 26.2.0 seems to include the fix to the linked issue (and is the version I run), so I'm not sure if this is a Keycloak issue or an oidcc issue, but I'm hoping the maintainers would have a better idea of which system the issue lies in.
Current behavior
Keycloak refuses the initial PAR request with an error:
Invalid request: java.lang.RuntimeException: Request object encrypted with different algorithm than client requested algorithm
How to reproduce
I've narrowed it down to a very specific setting in the Keycloak client configuration.
When the advanced setting "Request Object Encryption Algorithm" is not set (i.e. doesn't appear in the attributes list of an export) everything works fine.
If the setting is set to "Any", or any of the available options, the PAR request is rejected and oidcc returns the dreaded Redirect URI Generation Failed
error.
In the client export from Keycloak, the related setting is request.object.encryption.alg
in the attributes
object. I found while fiddling with the client settings it would randomly start failing, and apparently some unrelated options being saved will cause this setting to be added to the list with a value of any
, and causes the error described.
Expected behavior
There should be an agreement between the requested encryption algorithm, and the actual encryption algorithm used in the PAR request.