fix: enable PKCE for Keycloak OAuth to prevent invalid_grant errors

flowcore-platform · flowcore-platform · commit 61b8509a6738 · 2026-01-20T16:00:47.000Z
Added code_challenge_method: "S256" to KeycloakProvider authorization
params to enable PKCE (Proof Key for Code Exchange). This prevents
double-submit and code replay attacks that were causing invalid_grant
errors during OAuth callback, which manifested as 502 Bad Gateway
errors in the browser.

PKCE adds an extra layer of security and ensures authorization codes
can only be used once by the client that initiated the OAuth flow.
diff --git a/lib/auth.ts b/lib/auth.ts
@@ -130,6 +130,8 @@ export const authOptions: NextAuthOptions = {
           scope: "openid email profile offline_access",
           // Request token with correct audience for MCP server
           audience: env.USABLE_CLIENT_ID,
+          // Enable PKCE (Proof Key for Code Exchange) to prevent double-submit and code replay attacks
+          code_challenge_method: "S256",
         },
       },
     }),
