Update 8.0.1 -> 9.0.0 unable to login to administration console (PKCE problem)

hello all,

i recently migrated from 8.0.1 to 9.0.0
all went well on my local environment but things gone wrong on production.

i’m currently unable to login into the administration console
the log presents the following problem:

14:45:55,987 INFO [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-9) PKCE enforced Client without code challenge method.

27/02/2020 14:45:55 14:45:55,987 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=xxx.xxx.x.xxx, error=invalid_request, response_type=code, redirect_uri=https://xxxxxxx/auth/admin/master/console/, response_mode=fragment

If i compare the auth url from my local environment and the url from production the fact is that the “code_challenge” and “code_challenge_method” query params are missing.

How can i restore login?

Thank you for your support

I faced with the same behavior, and when I rollback to 8.0.2 version - error was the same.
But I have only test stand and clean all was an option.
So I resolved it by full cleaning of docker containers and data (i’m not good deal with docker and for me it taked two attempts).

I can add that this problem not only with admin console, but with every login too.

And after cleaning all I restored version 8.0.2 and it worked fine. And after pulling 9.0.0 version all worked fine again. So it looks like the cause is in some settings that was done while using keycloak 8.0.2.

I encountered the same problem, did you solve it?

I can log in when I open it with an incognito browser or another new browser


could you please create JIRA for this issue? Looks like browser cache
problem, which we can hopefully fix on Keycloak side.



in my case clearing browser cache / incognito browser window did not work.
i assume either something during migration went wrong or a specific combination of my configuration caused problem on the new version.
either way, my fix was to remove a line from database.
table: client_attributes
row with:
value S256
name: pkce.code.challenge.method

after removing this line i was able to login again without any problem.
i am yet to know the implications of removing this configuration…


Hey everybody,

I can confirm the error from my side.
Private Browser Session and clearing the Cache does definitely not help in any way.

I didn’t found any fix anywhere.

Looking forward to receive a final solution

Thanks guys. I’ve created JIRA
to investigate

Which browser do you guys have btv?


1 Like

google chrome Version 80.0.3987.122

link to the JIRA issue:

Can you take a look at app.js to check if it’s including (look at index.html for the admin console to find the URL of it. It’ll be something like /auth/resources/lnz3u/admin/keycloak/js/app.js):

keycloakAuth.init({ onLoad: ‘login-required’, pkceMethod: ‘S256’ })

Seems somehow you are getting an old version of app.js loaded, which shouldn’t be possible. Unless you have an old and a new version of Keycloak running at the same time, or have some caching layer on top or something.

BTW browser cache shouldn’t have anything to do with this issue. The index.html page of the admin console is not cached, and all resources it uses includes a string that is updated on a release.

So possible causes of this issue includes:

  • Old KC version still running with updated DB
  • Some separate caching layer (CDN) in front of KC
  • Copying old admin theme when upgrading

Tested with

Microsoft Edge
Version 82.0.432.3 (Official build) dev (64-bit)

|Microsoft Edge|82.0.432.3 (Official build) dev (64-bit)|
|Operating system|Windows 10 OS Version 1909 (Build 18363.693)|
|JavaScript|V8 8.2.56|
|User agent|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4056.0 Safari/537.36 Edg/82.0.432.3|

Vivaldi 2.11.1811.44 (Stable channel) (64-Bit)

|Windows 10 OS Version 1909 (Build 18363.693)|
|JavaScript|V8 8.0.426.25|
|User-Agent|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.125 Safari/537.36|

As I have control of the Proxy in front of Keycloak I have all caching Settings under my control and cleared everything already.

hello stianst

this is the version of app.js being loaded into my browser regarding the init function

keycloakAuth.init({ onLoad: 'login-required' }).success(function () {
        auth.authz = keycloakAuth;

        if (auth.authz.idTokenParsed.locale) {
            locale = auth.authz.idTokenParsed.locale;

        auth.refreshPermissions = function(success, error) {
            whoAmI(function(data) {
                auth.user = data;
                auth.loggedIn = true;
                auth.hasAnyAccess = hasAnyAccess(data);

            }, function() {

        loadResourceBundle(function(data) {
            resourceBundle = data;

            auth.refreshPermissions(function () {
                module.factory('Auth', function () {
                    return auth;
                var injector = angular.bootstrap(document, ["keycloak"]);

                injector.get('$translate')('consoleTitle').then(function (consoleTitle) {
                    document.title = consoleTitle;
    }).error(function () {

about the version that is running:

INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 9.0.0 (WildFly Core 10.0.3.Final) started in 24932ms - Started 684 of 989 services (701 services are lazy, passive or on-demand)

I found a solutions for this it is related to either a file in your

  • standalone
  • themes

So i guess it is an old admin theme like @stianst already said.
I got my self a fresh copy of KC and unzipped the standalone and theme folder.
This solved it on my end.

Copying the /theme folder solved it for me too. But the structure of the theme must have changed because everything is broken. Do we need to do the theming from scratch for every new version?

Instead of messing with the theme files, I found out that removing the volume and recreating it solved the problem too. No changes to the theme files were needed this way.