Support Autorization Code Grant with PKCE

[joscherrer]

Apicurio Web UI doesn't support Authorization Code Grant with PKCE enabled.
PKCE support has been available since Quarkus 2.8.0 : quarkusio/quarkus#23423

Apicurio's Web UI is using a public client, so it is susceptible to the authorization code interception attack (see: RFC7636).

I am not competent enough to evaluate how much of a hassle upgrading Quarkus 2.7.6 to 2.8.0 and integrating the PKCE method would be, so I am not hoping to see this implemented any soon, but thought that opening this issue might be useful to track this (in my opinion) useful feature.

Feel free to close this if it is out of scope.

[joscherrer]

Nevermind, I thought that the UI authentication was handled by quarkus, but it's actually handled client-side by keycloak-js.

All the properties under registry.ui.config.auth.keycloak are passed to the UI through the https://<apicurio>/ui/config.js file.
So we can just add the pkceMethod property for it to be passed to the the keycloak-js init method :

$ cat /deployments/config/application.properties # https://quarkus.io/guides/config-reference#application-properties-file
registry.ui.config.auth.keycloak.pkceMethod=S256

Doing this enables PKCE support.

[carlesarnal]

Hi @joscherrer,

Glad you figured it out! Since it's solved, I guess we can close this one.

Thanks!