UNSOLVED "Invalid Authorization Code" while implementing the Authorization Code Flow with Proof Key for Code Exchange (PKCE)
I am trying to implement the Authorization Code Flow with Proof Key for Code Exchange (PKCE) into our POC app and have been facing some issue.
Below are the details on the logic that I am trying to implement or the steps that I have performed so far.
I am first generation a code_verifier (String of 43 - 128 characters)
SecureRandom secureRandom = new SecureRandom();
byte codeVerifier = new byte;
String code_verifier =
Once I have the code_verifier I am then generating a code_challenge using SHA-256 algorithm.
byte bytes = code_verifier.getBytes("US-ASCII"); MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); messageDigest.update(bytes, 0, bytes.length); byte digest = messageDigest.digest(); String code_challenge = Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
I then have the following request for the /oauth2/authorize endpoint during with I am passing the code_challenge and the code_challenge_method to receive an Authorization code.
Auth endpoint : "http://localhost:9011/oauth2/authorize" + "?client_id=" + clientId
+"&code_challenge=" + code_challenge
The call is successful and I do receive an Authorization code. Next, I request a call to /oauth2/token by passing the Authorization code and the code_verifier so that FusionAuth can use the stored hashed value (the Code Challenge) from previous call and use that for validating the code_verifier.
Token endpoint call = FusionAuthClient.exchangeOAuthCodeForAccessTokenUsingPKCE(auth_code, clientId, clientSecret, redirect_url,code_verifier);
When I make the request to /oauth2/token I get the following error:
"error" : "invalid_request",
"change_password_id" : null,
"error_description" : "Invalid Authorization Code",
"error_uri" : null,
"error_reason" : "auth_code_not_found",
"two_factor_id" : null
Though the authorize endpoint gives me an auth code but not sure why FusionAuth is unable to verify it during the /token endpoint call.
I am currently using the below maven dependency for the FusionAuth client and I also have a trial version of FusionAuth server running on my system.
Can someone guide me or let me know if there is anything wrong that I am doing or did I miss anything.
Thanks in advance.
dan last edited by
What do the fusionauth logs tell you? If you turn on the debug attribute on the OAuth tab for this application, and then run through it, what do you see in the System -> Event Log?
I actually got the issue resolved, I had the PKCE configured as "Not Required". After I changed that to "Required" the flow worked as expected.