"Invalid Authorization Code" while implementing the Authorization Code Flow with Proof Key for Code Exchange (PKCE)

apeksha.barhanpur

Hi Team,

I am trying to implement the Authorization Code Flow with Proof Key for Code Exchange (PKCE) into our POC app and have been facing some issue.

Below are the details on the logic that I am trying to implement or the steps that I have performed so far.

1. I am first generation a code_verifier (String of 43 - 128 characters)
   SecureRandom secureRandom = new SecureRandom();
   byte[] codeVerifier = new byte[32];
   secureRandom.nextBytes(codeVerifier);
   String code_verifier =
   Base64.getUrlEncoder().withoutPadding().encodeToString(codeVerifier));

2. Once I have the code_verifier I am then generating a code_challenge using SHA-256 algorithm.

          byte[] bytes = code_verifier.getBytes("US-ASCII");
          MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
          messageDigest.update(bytes, 0, bytes.length);
          byte[] digest = messageDigest.digest();
   
          String code_challenge =  Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
   

3. I then have the following request for the /oauth2/authorize endpoint during with I am passing the code_challenge and the code_challenge_method to receive an Authorization code.

Auth endpoint : "http://localhost:9011/oauth2/authorize" + "?client_id=" + clientId
+"&response_type=code
+"&redirect_uri= http://localhost:8080/redirect"
+"&scope=openid%20offline_access"
+"&code_challenge=" + code_challenge
+"&code_challenge_method=S256";

The call is successful and I do receive an Authorization code. Next, I request a call to /oauth2/token by passing the Authorization code and the code_verifier so that FusionAuth can use the stored hashed value (the Code Challenge) from previous call and use that for validating the code_verifier.

Token endpoint call = FusionAuthClient.exchangeOAuthCodeForAccessTokenUsingPKCE(auth_code, clientId, clientSecret, redirect_url,code_verifier);

When I make the request to /oauth2/token I get the following error:

{
"error" : "invalid_request",
"change_password_id" : null,
"error_description" : "Invalid Authorization Code",
"error_uri" : null,
"error_reason" : "auth_code_not_found",
"two_factor_id" : null
}

Though the authorize endpoint gives me an auth code but not sure why FusionAuth is unable to verify it during the /token endpoint call.

I am currently using the below maven dependency for the FusionAuth client and I also have a trial version of FusionAuth server running on my system.

<dependency>
<groupId>io.fusionauth</groupId>
<artifactId>fusionauth-java-client</artifactId>
<version>1.32.1</version>
</dependency>

Can someone guide me or let me know if there is anything wrong that I am doing or did I miss anything.

Thanks in advance.

dan

@apeksha-barhanpur

What do the fusionauth logs tell you? If you turn on the debug attribute on the OAuth tab for this application, and then run through it, what do you see in the System -> Event Log?

apeksha.barhanpur

@dan

I actually got the issue resolved, I had the PKCE configured as "Not Required". After I changed that to "Required" the flow worked as expected.

Thanks.