FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    "Invalid Authorization Code" while implementing the Authorization Code Flow with Proof Key for Code Exchange (PKCE)

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    oauth pkce authorization
    2
    3
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apeksha.barhanpur
      last edited by apeksha.barhanpur

      Hi Team,

      I am trying to implement the Authorization Code Flow with Proof Key for Code Exchange (PKCE) into our POC app and have been facing some issue.

      Below are the details on the logic that I am trying to implement or the steps that I have performed so far.

      1. I am first generation a code_verifier (String of 43 - 128 characters)
        SecureRandom secureRandom = new SecureRandom();
        byte[] codeVerifier = new byte[32];
        secureRandom.nextBytes(codeVerifier);
        String code_verifier =
        Base64.getUrlEncoder().withoutPadding().encodeToString(codeVerifier));

      2. Once I have the code_verifier I am then generating a code_challenge using SHA-256 algorithm.

               byte[] bytes = code_verifier.getBytes("US-ASCII");
       MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
       messageDigest.update(bytes, 0, bytes.length);
       byte[] digest = messageDigest.digest();

       String code_challenge =  Base64.getUrlEncoder().withoutPadding().encodeToString(digest);

      3. I then have the following request for the /oauth2/authorize endpoint during with I am passing the code_challenge and the code_challenge_method to receive an Authorization code.

      Auth endpoint : "http://localhost:9011/oauth2/authorize" + "?client_id=" + clientId
      +"&response_type=code
      +"&redirect_uri= http://localhost:8080/redirect"
      +"&scope=openid%20offline_access"
      +"&code_challenge=" + code_challenge
      +"&code_challenge_method=S256";

      The call is successful and I do receive an Authorization code. Next, I request a call to /oauth2/token by passing the Authorization code and the code_verifier so that FusionAuth can use the stored hashed value (the Code Challenge) from previous call and use that for validating the code_verifier.

      Token endpoint call = FusionAuthClient.exchangeOAuthCodeForAccessTokenUsingPKCE(auth_code, clientId, clientSecret, redirect_url,code_verifier);

      When I make the request to /oauth2/token I get the following error:

      {
      "error" : "invalid_request",
      "change_password_id" : null,
      "error_description" : "Invalid Authorization Code",
      "error_uri" : null,
      "error_reason" : "auth_code_not_found",
      "two_factor_id" : null
      }

      Though the authorize endpoint gives me an auth code but not sure why FusionAuth is unable to verify it during the /token endpoint call.

      I am currently using the below maven dependency for the FusionAuth client and I also have a trial version of FusionAuth server running on my system.

      <dependency>
      <groupId>io.fusionauth</groupId>
      <artifactId>fusionauth-java-client</artifactId>
      <version>1.32.1</version>
      </dependency>

      Can someone guide me or let me know if there is anything wrong that I am doing or did I miss anything.

      Thanks in advance.

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @apeksha.barhanpur
        last edited by

        @apeksha-barhanpur

        What do the fusionauth logs tell you? If you turn on the debug attribute on the OAuth tab for this application, and then run through it, what do you see in the System -> Event Log?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        A 1 Reply Last reply Reply Quote 0
        • A
          apeksha.barhanpur @dan
          last edited by

          @dan

          I actually got the issue resolved, I had the PKCE configured as "Not Required". After I changed that to "Required" the flow worked as expected.

          Thanks.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post