Boundary OIDC + PKCE: Missing “code_challenge_method” - Both Web UI and CLI fail

Boundary
1

Hi,

I’m running Boundary v0.20.0

Version information:
  Build Date:          2025-09-18T16:30:15Z
  Git Revision:        dba31589bffa725d43d8f4d7e5ad937f2362c230
  Version Number:      0.20.0

using Keycloak as OIDC provider and want to enforce PKCE (S256) for OIDC login.

Issue:
When PKCE is enabled in Keycloak, both the Boundary Web UI and Boundary CLI OIDC login fail in the same way. The browser displays:

Could not authenticate
Something went wrong while authenticating. Please close this window and try again. If the problem persists, notify your administrator.

https://boundary.xxxxxxx.xxx/authentication-error?error=%7B%22kind%22%3A%22Internal%22%2C+%22message%22%3A%22authmethod_service.(Service).authenticateOidcCallback%3A+oidc+provider+callback+error%2C+external+system+issue%3A+error+%234000%3A+Error%3A+%5C%22invalid_request%5C%22%2C+Details%3A+%5C%22Missing+parameter%3A+code_challenge_method%5C%22%22%7D

Boundary logs:

authmethod_service.(Service).authenticateOidcCallback: oidc provider callback error, external system issue: error #4000: Error: "invalid_request", Details: "Missing parameter: code_challenge_method"

Technical details / Analysis:
When attempting OIDC authentication to Keycloak with PKCE enforced, Boundary initiates the login flow (the browser window opens as expected). However, the authorization request sent to Keycloak does not include the required PKCE parameters (code_challenge and code_challenge_method). This leads Keycloak to reject the authentication request with:

Invalid request: Missing parameter: code_challenge_method

As a result, both the Boundary Web UI and CLI OIDC login flows fail at the callback step with the above error.
This indicates that PKCE parameters are either not being sent or not handled correctly by Boundary in the OIDC authorization flow.

Questions:**

  • Is PKCE (S256) currently supported by the Web UI and CLI in Boundary v0.20.0 OIDC flows?
  • If support is intended, what configuration or client state could cause the flow to miss the code_challenge_method parameter?
  • Are there any workarounds, or a roadmap for fully functional PKCE support?

cli>boundary auth-methods read -id amoidc_Removed -addr https://boundary.xxxxxx.xxx

Auth Method information:
Created Time: Wed, 01 Oct 2025 15:58:00 CEST
ID: amoidc_Removed
Is Primary For Scope: true
Name: OrganisationNameRemoved
Type: oidc
Updated Time: Sat, 04 Oct 2025 17:43:27 CEST
Version: 12

Scope:
ID: o_Removed
Name: OrganisationNameRemoved
Parent Scope ID: global
Type: org

Authorized Actions:
delete
change-state
authenticate
no-op
read
update

Authorized Actions on Auth Method’s Collections:
accounts:
create
list
managed-groups:
list
create

Attributes:
allowed_audiences: [OrganisationNameRemoved]
api_url_prefix: https://boundary.xxxxxx.xxx
callback_url:
https://boundary.xxxxxx.xxx/v1/auth-methods/oidc:authenticate:callback
claims_scopes: [email profile]
client_id: OrganisationNameRemoved
client_secret_hmac: aT67BnwYjhv2-frMl-QWtkjcDTsmXZ_vHsGuRXZJD3Rt (Changed by me)
issuer:
https://keycloak.xxxxxx.xxx/realms/Name%20Removed
max_age: 0
signing_algorithms: [RS256]
state: active-public**

2

Hi,

I’ve been testing the OIDC flow, and it seems that PKCE (S256) may not be currently supported in HashiCorp Boundary. I could of course be mistaken, but I wanted to share my observations in case someone can confirm.

For context, PKCE (Proof Key for Code Exchange) is a mechanism that enhances security for public clients, such as web Uls and CLIs, by ensuring that even if an authorization code is intercepted, it cannot be reused by an attacker. Support for PKCE would add an extra layer of protection, particularly for clients that cannot securely store a client secret.

Would anyone be able to confirm whether PKCE is indeed supported or not?