Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16381

Documentation inconsitencies in PKCE flow

    XMLWordPrintable

    Details

    • Needs backport:
      No
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Bug description

      https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/index.html#proc-auth-code-no-browser-pkce-oidc

      step 2 example contains "redirect_url" two times - please remove one

      https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/index.html#proc-auth-code-token-pkce-oidc

      example contains

      --data "client_id=myClient" \
      

      which doesn't work for me, I need to use

      --user "myClientID:password" \
      

      instead to be able to get access token

      Script working for me here:

      USER_TOKEN=`./login_demo_user_and_return_token.sh`
      
      AUTHORIZATION_CODE=`curl --dump-header - \
      --request POST \
      --Cookie "iPlanetDirectoryPro=${USER_TOKEN}" \
      --data "scope=openid profile" \
      --data "response_type=code" \
      --data "client_id=${OIDC_CLIENT_ID}" \
      --data "csrf=${USER_TOKEN}" \
      --data "redirect_uri=${REDIRECT_URL}" \
      --data "state=abc123" \
      --data "nonce=123abc" \
      --data "decision=allow" \
      --data "code_challenge=j3wKnK2Fa_mc2tgdqa6GtUfCYjdWSA5S23JKTTtPF8Y" \
      --data "code_challenge_method=S256" \
      "${URL}/oauth2/realms/root/authorize" 2>&1 \
                          | grep Location \
                          | cut -f2 -d"?" \
                          | tr '&' '\n' \
                          | grep code \
                          | cut -f2 -d"="`
      
      echo using authorization code ${AUTHORIZATION_CODE} to get openid session 
      curl --request POST \
      --user "${OIDC_CLIENT_ID}:${OIDC_CLIENT_PWD}" \
      --data "grant_type=authorization_code" \
      --data "code=${AUTHORIZATION_CODE}" \
      --data "client_id=${OIDC_CLIENT_NAME}" \
      --data "redirect_uri=${REDIRECT_URL}" \
      --data "code_verifier=ZpJiIM_G0SE9WlxzS69Cq0mQh8uyFaeEbILlW8tHs62SmEE6n7Nke0XJGx_F4OduTI4" \
      "${URL}/oauth2/realms/root/access_token" 2>/dev/null\
                       | python -m json.tool
       

        Attachments

          Activity

            People

            Assignee:
            cristina.herraz Cristina Herraz
            Reporter:
            lubomir.mlich Ľubomír Mlích
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: