After release (chart: ssp-3.2.0+1930 / app version: 3.2.0+1930) is deployed, the application stopped authenticating.

When initiating the login call, the app makes the following call to initiate the login flow on the AuthHub UI:

https://ssp.example.com/default/oauth2/v1/authorize?response_type=code&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx&scope=openid+profile+email&redirect_uri=https://ssp.example.com/callback

This call is failing with error "msg":"Missing code_challenge" in azserver log.

Note that the authhub OIDC App's client type is "Confidential" (Not "Public").

VIP Authentication Hub 3.2.0+1930

This is due to product default behavior changes between versions.

The 3.2 version auto upgrades all existing OIDC apps to have "allowNonPKCEConnections".  

However, a new OIDC app requires PKCE enabled out of the box, unless PKCE is specifically disabled for that app through app metadata.

When PKCE (Proof Key for Code Exchange) is enabled, it will use parameters: code verifier, code challenge and code challenge method.

If oidc client application does not use PKCE, then there is an app setting to control it in release 3.2.

Improvements in App Metadata

The following new app metadata fields have been added in this release:

allowIdpHint
allowNonSslRedirectUri
allowAppNotToSendRedirectUri
allowNonPKCEConnections

3.2.0+1930 release note:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/3-2/Release-Notes/release-notes-3-2.html