Skip to content

fix(auth): add PKCE to device flow#8

Merged
hbrombeer merged 1 commit intomainfrom
fix/device-pkce
Apr 28, 2026
Merged

fix(auth): add PKCE to device flow#8
hbrombeer merged 1 commit intomainfrom
fix/device-pkce

Conversation

@hbrombeer
Copy link
Copy Markdown
Member

@hbrombeer hbrombeer commented Apr 28, 2026

Surfaced live — Keycloak rejects device flow without code_challenge_method now.

@hbrombeer @claude
fix(auth): add PKCE to device flow (Keycloak now enforces)
d24ab8e 
Surfaced live: \`grounds login\` failed with
  device endpoint 400: {"error":"invalid_request",
  "error_description":"Missing parameter: code_challenge_method"}

Recent Keycloak versions enforce PKCE on the device-authorization
endpoint, but our DeviceClient was sending only client_id + scope.

Adds RFC 7636 PKCE:
- StartDevice generates a 256-bit URL-safe random verifier and the
  matching SHA-256 challenge, sends \`code_challenge\` +
  \`code_challenge_method=S256\` to /auth/device, and returns the
  verifier on the response struct.
- PollToken takes the verifier as a new positional arg and forwards
  it as \`code_verifier\` on each token-endpoint call so Keycloak
  can validate the challenge bound to the device_code at request
  time.
- login.go threads the verifier through.

Tests assert the new fields are sent on both endpoints.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hbrombeer hbrombeer merged commit cae6df9 into main Apr 28, 2026
5 checks passed
@github-actions github-actions Bot mentioned this pull request Apr 28, 2026
Merged
@lusu007 lusu007 deleted the fix/device-pkce branch April 29, 2026 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hbrombeer