PKCE Verification Fails

rmachorro

I have a pre-existing FusionAuth integrated application that uses Authorization Code successfully. For safety reasons I'm adding support for PKCE.

I've added code_challenge and code_challenge_method to the authorize url, so it looks like this:

https://.../oauth2/authorize?client_id=...&tenantId=...&redirect_uri=.../authcallback&response_type=code&scope=openid&state=...&code_challenge=...&code_challenge_method=S256

Upon response to callback, the code is then sent back to FusionAuth in the Token request, adding the code_verifier:

POST /oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ...
Connection: close
Content-Length: 241

client_id=...&redirect_uri=...%3A3000%2Fauthcallback&code=...&code_verifier=...&grant_type=authorization_code

The response is a 400 Bad Request with the following body:

{"error":"invalid_request","error_description":"Invalid Authorization Code","error_reason":"auth_code_not_found"}

dan

@rmachorro What version of FusionAuth are you using? At first glance that appears to be the right way to do it.

julien.sarriot

@dan I have the same error, it seem that fusionauth just throw the same error when:

• authorization code is invalid
• code_verifier is invalid (good format but not corresponding to code_challenge)

When I look at logs on fusionauth interface, I see good errors but not on http response.
(I'm using 1.40.1)

dan

@julien-sarriot What does turning on the debug log do? https://fusionauth.io/docs/v1/tech/admin-guide/troubleshooting#enabling-debugging has instructions on how to do that and where to look after (in the event log).

Please share that info here.