Hi all,
We have deployed a PKCE OIDC flow in ISAM 10.
- GET /authorize
- Authentication
- Send the code to the browser
- The browser calls POST /mga/sps/oauth/oauth20/token which includes the PD-S-SESSION-ID cookie
Typically, the POST /mga/sps/oauth/oauth20/token call is done by a server-side component which does not have the cookies.
When the POST /mga/sps/oauth/oauth20/token call is done by an authenticated browser this is the webseal’s response because it sees there’s an active session tied to the cookie.
{ "error_description": "FBTOAU220E The authenticated client id: [DF74E4BDD4D2C160DAC72A902224BD3D399CD6BA8F0FDAA2FC033904D2D2A264@9A10B0944B10656463AF7F7F886DE824] does not match the client id in the request body.", "error": "invalid_client"}
We created a second junction pointing to the runtime server but without the IV-USER header and it solved the issue, but the flow is not a standard PKCE flow anymore. Removing the defaults on the /mga junction, identity tab (uncheck IV-user and include session cookie) doesn't work either.
Using curl we can simulate this and when we don't send the PD-Session cookie, everything works as expected and we get the tokens. Sending the cookie give the same error.
Do you have any alternative solutions to keep the PKCE flow as per the standard protocol?
Thanks!
Edgard Falconi