keycloak: disable PKCE for Gitea Veles OIDC

services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml

@@ -1,12 +1,12 @@
 # services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml
-# One-off job for sso/veles-gitea-oidc-secret-ensure-1.
+# One-off job for sso/veles-gitea-oidc-secret-ensure-2.
 # Purpose: create/update the Veles realm Gitea OIDC client and write the
 # matching Gitea auth-source secret to Vault.
 # Keep suspended until the Vault policy change has reconciled, then unsuspend once.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: veles-gitea-oidc-secret-ensure-1
+  name: veles-gitea-oidc-secret-ensure-2
   namespace: sso
 spec:
   suspend: true

services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh

@@ -157,7 +157,7 @@ client_payload="$(jq -nc \
   --arg client_id "${CLIENT_ID}" \
   --arg root_url "${PUBLIC_BASE_URL}" \
   --arg callback "${PUBLIC_BASE_URL}/user/oauth2/${AUTH_SOURCE_NAME}/callback" \
-  '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$callback],webOrigins:[$root_url],rootUrl:$root_url,baseUrl:"/",attributes:{"pkce.code.challenge.method":"S256","post.logout.redirect.uris":($root_url + "/*")}}')"
+  '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$callback],webOrigins:[$root_url],rootUrl:$root_url,baseUrl:"/",attributes:{"post.logout.redirect.uris":($root_url + "/*")}}')"
 
 if [ -z "$CLIENT_UUID" ] || [ "$CLIENT_UUID" = "null" ]; then
   status="$(curl -sS -o /tmp/keycloak-client-create.json -w "%{http_code}" -X POST \