ZITADELZZITADEL
Powered by
Achoo! KrakenA
ZITADELβ€’2mo agoβ€’
5 replies
Achoo! Kraken

PCKE not enforced

🏬Self-hostedπŸ”Authentication⛓️‍πŸ’₯APIs❓QuestionπŸ”—OIDC
I created an app with the Authentication Code flow and PCKE enabled.
Here's the summary as displayed by the wizard:
Grant Types [ Authorization Code ]
Response Types [ Code ]
Authentication Method None
Redirect URIs [ https://api.example.com/login/do ]
Post Logout URIs [ https://api.example.com/logout ]
Development Mode Disabled
Grant Types [ Authorization Code ]
Response Types [ Code ]
Authentication Method None
Redirect URIs [ https://api.example.com/login/do ]
Post Logout URIs [ https://api.example.com/logout ]
Development Mode Disabled


The problem is, I can log in and exchange the code for tokens without ever specifying 
code_challenge
code_challenge
/
code_challenge_method
code_challenge_method
/
code_verifier
code_verifier
.

The only way to effectively enforce PCKE it is to include 
code_verifier
code_verifier
 in the token endpoint request, in which case I get 
code_verifier unexpectedly provided
code_verifier unexpectedly provided
.

I'm not sure if this is relevant, but the summary screen shows the following for various Authentication Methods:
PCKE: None
CODE: Basic
JWT: Private Key JWT
POST: Post

Shouldn't Zitadel enforce PCKE parameters in the login request if the app is configured to use it?
ZITADEL banner
ZITADELJoin
ZITADEL - Identity infrastructure, simplified for you.
4,374Members
Resources

Similar Threads

Was this page helpful?
Recent Announcements

Similar Threads

Device Auth Token requested Org ID not enforced
DawnDDawn / questions-help-bugs
5mo ago
unlock account not working (not found)
JayPeJJayPe / questions-help-bugs
17mo ago
[not_found] membership not found (AUTHZ-cdgFk)
VantomLPVVantomLP / questions-help-bugs
5mo ago