Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clicking back button after succesful login with keycloak results in "PKCE code_verifier cookie was missing.." error #11642

Open
MarkLyck opened this issue Aug 20, 2024 · 0 comments
Open

Clicking back button after succesful login with keycloak results in "PKCE code_verifier cookie was missing.." error #11642

MarkLyck opened this issue Aug 20, 2024 · 0 comments
Labels
bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@MarkLyck
Copy link

MarkLyck commented Aug 20, 2024
edited
Loading

Environment

System:
    OS: macOS 14.5
    CPU: (10) arm64 Apple M1 Max
    Memory: 857.22 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.12.0 - /usr/local/bin/node
    Yarn: 1.22.17 - /usr/local/bin/yarn
    npm: 10.5.0 - /usr/local/bin/npm
    pnpm: 9.5.0 - ~/Library/pnpm/pnpm
    bun: 1.1.25 - ~/.bun/bin/bun
  Browsers:
    Brave Browser: 119.1.60.118
    Chrome: 126.0.6478.185
    Safari: 17.5
  npmPackages:
    next: 15.0.0-canary.103 => 15.0.0-canary.103
    next-auth: 5.0.0-beta.18 => 5.0.0-beta.18
    react: 19.0.0-rc-187dd6a7-20240806 => 19.0.0-rc-187dd6a7-20240806

Reproduction URL

https://github.com/MarkLyck/keycloak-pkce-error-reproduction

Describe the issue

May be related to #11641 (which is the more serious issue, but this may help resolve it as well, it's certainly easier to reproduce)

If you login with next-auth using the keycloak provider using standard flow, without an idp_hint, the login is succesful and you will be redirected to the dashboard and everything will work.

However if you click the browser "back" button, after the redirect to the dashboard, you will be redirected to:

"https://colony-nextjs-git-patch-next-auth-with-logs-colonynetworks.vercel.app/api/auth/error?error=Configuration"

with the error:

[31m[auth][error]�[0m InvalidCheck: PKCE code_verifier cookie was missing.. Read more at https://errors.authjs.dev#invalidcheck

I added a console.log inside the @auth/core package where the pkce check is done, and the code_verifier is undefined.

🛡️ ~ @auth / oauth / checks / pkce / codeVerifier: undefined

Maybe it gets deleted after a succesful verification and the no longer exists when the user clicks back? Or maybe it's because of the 900 age limit on the cookie.

How to reproduce

  • Set up keycloak with standard flow
  • Remove idp_hint from reproduction app, and update the issuer to match your keycloak deployment
  • Deploy reproduction app to Vercel
  • Login (see succeful redirect)
  • Click back button.
  • See error

Expected behavior

Clicking "back" button after a succesful login in this case should redirect you to / (the same page you are already on)
@MarkLyck MarkLyck added bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MarkLyck