Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
adapter/javascript
Describe the bug
Since version 24 where "S256" is the default for the PKCE method, it can not be disabled anymore. Even the new false option does not have any effect. So "S256" is always set as PKCE method.
Version
24.0.1
Regression
- The issue is a regression
Expected behavior
It should be again possible to disable PKCE by setting the pkceMethod option to false, as described within the documentation.
Actual behavior
The false option of the pkceMethod init parameter is ignored. The check for false is missing in the source code:
if (initOptions.pkceMethod) {
if (initOptions.pkceMethod !== "S256") {
throw new TypeError(`Invalid value for 'pkceMethod', expected 'S256' but got '${initOptions.pkceMethod}'.`);
}
kc.pkceMethod = initOptions.pkceMethod;
} else {
kc.pkceMethod = "S256";
}
It should be:
if (initOptions.pkceMethod) {
if (initOptions.pkceMethod !== "S256") {
throw new TypeError(`Invalid value for 'pkceMethod', expected 'S256' but got '${initOptions.pkceMethod}'.`);
}
kc.pkceMethod = initOptions.pkceMethod;
} else if (initOptions.pkceMethod !== false) {
kc.pkceMethod = "S256";
}
How to Reproduce?
- Create a new Keycloak JavaScript adapter
- Provide
falsefor thepkceMethodoption when calling the init method - For example call the
createLoginUrlmethod - The resulting URL will include the parameter
code_challenge_method=S256but it should not
Anything else?
No response