From e4cfc7306ee01edda0e4e22202c35f329976ae46 Mon Sep 17 00:00:00 2001 From: "j.w.jonkers" Date: Mon, 8 Jun 2026 08:27:22 +0200 Subject: [PATCH] grafana: disable PKCE for the generic_oauth flow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Grafana is a confidential client authenticated with CLIENT_SECRET_BASIC. PKCE is designed for public clients that cannot protect a client secret; for confidential clients the client secret already authenticates the token exchange and PKCE adds no meaningful security. With use_pkce=true, Grafana generates a code_verifier, stores it in a browser session cookie alongside the OAuth state, then sends it in the token request. If that cookie is absent or invalid (different tab, browser restart, Safari ITP expiry, proxy stripping Set-Cookie), Grafana omits the verifier from the token request. Spring Authorization Server stored the code_challenge at the authorize step, so it now sees a stored challenge with no matching verifier and rejects the exchange — surfacing as "Failed to get token from provider" on the login page. Setting use_pkce=false removes the browser-state dependency and leaves the auth-api client registration unchanged (requirePkce=false). The flow is: authorize → cookie-free state param → code → secret-authenticated token exchange. --- platform/cluster/flux/apps/observability/grafana/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/cluster/flux/apps/observability/grafana/release.yaml b/platform/cluster/flux/apps/observability/grafana/release.yaml index ba9c8c42..2b519180 100644 --- a/platform/cluster/flux/apps/observability/grafana/release.yaml +++ b/platform/cluster/flux/apps/observability/grafana/release.yaml @@ -90,4 +90,4 @@ spec: role_attribute_path: "contains(roles[*], 'ROLE_ADMIN') && 'GrafanaAdmin' || 'Viewer'" allow_assign_grafana_admin: true auto_login: true - use_pkce: true + use_pkce: false