Alauda Container Platform

Disabling the PKCE Plain Method

Starting from ACP v4.3.0, PKCE (Proof Key for Code Exchange) verification is enabled by default for login authorization. To maintain backward compatibility with affected plugins that use the Agnostic life cycle and are not yet upgraded, the platform retains the plain code challenge method alongside the secure S256 method after upgrade.

Once all affected Agnostic plugins have been upgraded to versions compatible with ACP v4.3.0, you should remove the plain method to enforce S256-only PKCE verification.

TOC

PrerequisitesProcedureVerificationRollback

Prerequisites

  • kubectl access to the global cluster with cluster-admin privileges.
  • All clusters managed by the platform have been upgraded to ACP v4.3.
  • The following affected plugins with the Agnostic life cycle have been upgraded to versions compatible with ACP v4.3:
    • Alauda Container Platform Gitops
    • Alauda Build of Kiali
    • Kubeflow Base
    • Alauda AI
WARNING

In this context, affected plugins are the listed Agnostic plugins that use the platform OIDC authorization flow; removing plain before all of them are upgraded to ACP v4.3-compatible versions will cause authentication failures.

Procedure

The OIDC client configuration is stored as an OAuth2Client custom resource in the cpaas-system namespace. Determine the target resource name by client ID:

OIDC_CLIENT_NAME="$(kubectl get oauth2client -n cpaas-system \
  -o jsonpath='{range .items[?(@.id=="alauda-auth")]}{.metadata.name}{"\n"}{end}' | head -n 1)"
test -n "${OIDC_CLIENT_NAME}" || { echo "Failed to find OAuth2Client for id=alauda-auth"; exit 1; }
echo "Target OAuth2Client: ${OIDC_CLIENT_NAME}"

Edit the OAuth2Client resource:

kubectl edit oauth2client "${OIDC_CLIENT_NAME}" -n cpaas-system

Locate the codeChallengeMethods field and remove the plain entry, keeping only S256:

# Before
codeChallengeMethods:
- S256
- plain

# After
codeChallengeMethods:
- S256

Save and exit the editor. The change takes effect immediately.

Verification

Confirm that the plain method has been removed:

kubectl get oauth2client "${OIDC_CLIENT_NAME}" -n cpaas-system \
  -o jsonpath='{.codeChallengeMethods}'

The output should be:

["S256"]

Run at least one login/authorization verification for each affected plugin (Alauda Container Platform Gitops, Alauda Build of Kiali, Kubeflow Base, and Alauda AI) to confirm there are no PKCE-related authentication failures.

Rollback

If authentication issues occur after removing the plain method (for example, any affected plugin login or authorization fails), add it back:

kubectl patch oauth2client "${OIDC_CLIENT_NAME}" -n cpaas-system \
  --type merge \
  -p '{"codeChallengeMethods":["S256","plain"]}'

After rollback, verify affected plugin logins again and then unset OIDC_CLIENT_NAME.