PKCE verification failed

BiancaRapp commented 7 months ago

Jenkins and plugins versions report

Environment

```text Jenkins: 2.440.2 OS: Linux - 5.15.0-91-generic Java: 17.0.10 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- analysis-model-api:12.1.0 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 atlassian-bitbucket-server-integration:4.0.0 authentication-tokens:1.53.v1c90fd9191a_b_ bitbucket-scm-filter-aged-refs:31.ve3b_ca_fc71d5b_ blueocean:1.27.11 blueocean-bitbucket-pipeline:1.27.11 blueocean-commons:1.27.11 blueocean-config:1.27.11 blueocean-core-js:1.27.11 blueocean-dashboard:1.27.11 blueocean-display-url:2.4.2 blueocean-events:1.27.11 blueocean-git-pipeline:1.27.11 blueocean-github-pipeline:1.27.11 blueocean-i18n:1.27.11 blueocean-jwt:1.27.11 blueocean-personalization:1.27.11 blueocean-pipeline-api-impl:1.27.11 blueocean-pipeline-editor:1.27.11 blueocean-pipeline-scm-api:1.27.11 blueocean-rest:1.27.11 blueocean-rest-impl:1.27.11 blueocean-web:1.27.11 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1152.v6f101e97dd77 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloud-stats:336.v788e4055508b_ cloudbees-bitbucket-branch-source:883.v041fa_695e9c2 cloudbees-folder:6.901.vb_4c7a_da_75da_3 cobertura:1.17 code-coverage-api:4.99.0 command-launcher:107.v773860566e2e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-95.v22a_d30ee5d36 configuration-as-code:1775.v810dc950b_514 coverage:1.13.0 credentials:1337.v60b_d7b_c7b_c9f credentials-binding:657.v2b_19db_7d6e6d data-tables-api:2.0.3-1 dependency-track:4.3.1 display-url-api:2.200.vb_9327d658781 docker-commons:439.va_3cb_0a_6a_fb_29 docker-workflow:572.v950f58993843 durable-task:550.v0930093c4b_a_6 echarts-api:5.5.0-1 favorite:2.208.v91d65b_7792a_c font-awesome-api:6.5.1-3 forensics-api:2.4.0 git:5.2.1 git-client:4.7.0 github:1.38.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1785.v99802b_69816c groovy:457.v99900cb_85593 gson-api:2.10.1-15.v0d99f670e0a_7 handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 hetzner-cloud:84.v8acf5510fd35 htmlpublisher:1.33 instance-identity:185.v303dc7c645f9 ionicons-api:70.v2959a_b_74e3cf jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jenkins-design-language:1.27.11 jjwt-api:0.11.5-112.ve82dfb_224b_a_d job-dsl:1.87 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 kubernetes:4203.v1dd44f5b_1cf9 kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:0.11 kubernetes-credentials-provider:1.262.v2670ef7ea_0c5 mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:822.824.v14451b_c0fd42 metrics:4.2.21-449.v6960d7c54c69 mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd oic-auth:4.227.v36610663f760 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:704.vc58b_8890a_384 pipeline-input-step:491.vb_07d21da_1a_fb_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2184.v0b_358b_953e69 pipeline-model-definition:2.2184.v0b_358b_953e69 pipeline-model-extensions:2.2184.v0b_358b_953e69 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2184.v0b_358b_953e69 plain-credentials:179.vc5cb_98f6db_38 plugin-util-api:4.1.0 prism-api:1.29.0-13 pubsub-light:1.18 scm-api:689.v237b_6d3a_ef7f script-security:1326.vdb_c154de8669 slack:684.v833089650554 snakeyaml-api:2.2-111.vc6598e30cc65 sse-gateway:1.26 ssh-agent:346.vda_a_c4f2c8e50 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.948.vb_8050d697fec sshd:3.322.v159e91f6a_550 structs:337.v1b_04ea_4df7c8 token-macro:400.v35420b_922dcb_ trilead-api:2.142.v748523a_76693 uno-choice:2.8.3 variant:60.v7290fc0eb_b_cd warnings-ng:11.2.2 workflow-aggregator:596.v8c21c963d92d workflow-api:1291.v51fd2a_625da_7 workflow-basic-steps:1049.v257a_e6b_30fb_d workflow-cps:3894.vd0f0248b_a_fc4 workflow-durable-task-step:1336.v768003e07199 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:773.vc4fe1378f1d5 workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:896.v175a_a_9c5b_78f ```

What Operating System are you using (both controller, and any agents involved in the problem)?

official jenkins container

Reproduction steps

Step 1: Update oic-auth from 4.227.v36610663f760 to 4.228.v0c3e8682ff1f with pkceEnabled=true
Step 2: Open jenkins and login with oidc

Expected Results

You are logged in as usual.

Actual Results

You are not logged in and in the logs you get the error:

WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID ...
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
POST https://KEYCLOAK_URL/realms/REALM/protocol/openid-connect/token
{
  "error": "invalid_grant",
  "error_description": "PKCE verification failed"
}

Anything else?

We use Keycloak as OIDC backend, version 24.0.2. We had pkceEnabled=true until now and it worked so far. It also doesn't work in the newest version. With pkceEnabled=false everything works as usual with the newest version.

Are you interested in contributing a fix?

No response

michael-doubez commented 7 months ago

Thanks for the very good issue report.

At a guess, it is an issue with PKCE challenge context in https://github.com/jenkinsci/oic-auth-plugin/pull/288.

Thinking it through, I guess it must be serialized in the session context, just like the nonce.

michael-doubez commented 7 months ago

I won't be able to provide a fix until Sunday at best.

michael-doubez commented 7 months ago

Fixed in v4.236.v4124503b_a_f88

toabi commented 7 months ago

Tested in our setup. It works again! Thanks for this quick resolution.

jenkinsci / oic-auth-plugin