device-code flow: missing code_challenge_method when Keycloak requires PKCE #1470
Description
Describe the bug
When using kubelogin get-token --grant-type=device-code against Keycloak with PKCE required for Device Authorization Grant, authentication fails with:
authorization error response 400, invalid_request (Missing parameter: code_challenge_method)
I also tried forcing PKCE with --oidc-pkce-method=S256, but the device-code request still fails with the same error.
Keycloak seems to require code_challenge/code_challenge_method for device authorization when the client is configured to enforce PKCE. ([GitHub][1])
To Reproduce
-
Keycloak:
- Enable OAuth 2.0 Device Authorization Grant for the OIDC client (e.g.,
client_id=k8s). - Configure the client to require PKCE (e.g., “Proof Key for Code Exchange Code Challenge Method” set).
- Enable OAuth 2.0 Device Authorization Grant for the OIDC client (e.g.,
-
Configure kubeconfig exec plugin to run kubelogin with device-code:
kubectl oidc-login get-token \ --oidc-issuer-url=https://<keycloak>/realms/<realm> \ --oidc-client-id=<client_id> \ --grant-type=device-code(I also tried adding
--oidc-pkce-method=S256.) -
Run any kubectl command (e.g.,
kubectl get ns).
Expected behavior
Kubelogin should be able to complete Device Authorization Grant even when Keycloak requires PKCE, by sending code_challenge and code_challenge_method in the device authorization request (and code_verifier during token polling), or at least clearly document that PKCE for device-code is not supported.
Actual behavior
Kubelogin returns:
authorization error response 400, invalid_request (Missing parameter: code_challenge_method)
Environment
- OS: Windows (Git Bash / MINGW64)