I'm writing a script which uses auth0 to authenticate with a remote API.
Following this tutorial: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"strings"
)
func genAuth0CodeVerifierChallance() (string, string) {
// Generate random Code Verifier
c := make([]byte, 32)
rand.Read(c)
code := base64.StdEncoding.EncodeToString(c)
code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "_", -1)
code = strings.Replace(code, "=", "", -1)
// Generate auth0 challange
ch := sha256.Sum256([]byte(code))
challange := base64.StdEncoding.EncodeToString(ch[:])
challange = strings.Replace(challange, "+", "-", -1)
challange = strings.Replace(challange, "/", "-", -1)
challange = strings.Replace(challange, "=", "", -1)
return code, challange
}
I use that function to generate a code challenge, for example eQM2dqasJN3-gXcM0g1Se-CmAn8PyU7c5uHRKU7Exa0
I make a HTTP Post with the payload
p := &payloadData{
GrantType: "authorization_code",
ClientId: "...............................", (removed)
CodeVerifier: codeChallenge,
Code: code, (example: AuL3ArApgQ4QDu_9)
RedirectUri: "http://127.0.0.1:16272/oauth/token",
}
...marshal json...
req, _ := http.NewRequest("POST", "https://my-app.eu.auth0.com/oauth/token", bytes.NewBuffer(payload))
I get the error:
{403 Forbidden 403...
{"error":"invalid_grant","error_description":"Failed to verify code verifier"}
Other references to this have said characters weren't properly url encoded/replaced in the base64 encoded challenge.
I've tried with the following two encoding's for /
code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "_", -1)
code = strings.Replace(code, "=", "", -1)
and
code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "-", -1)
code = strings.Replace(code, "=", "", -1)
But I always get:
{"error":"invalid_grant","error_description":"Failed to verify code verifier"}
I ran into the same error implementing Auth0 PKCE:
{"error":"invalid_grant","error_description":"Failed to verify code verifier"}
In my case, the error was caused by accidentally sending different Verifiers in the Authorization URL and the Token Exchange. I did some logging of both Authorization URL called and the Token Exchange request body to figure this out and recommend you do the same.
I have a working demo implementation here you can try. This is a HTTP server, not a native app, but it exercises the PKCE flows successfully.
Of note, you don't have to manually replace + and / since Go supports this using base64.URLEncoding instead of StdEncoding as follows:
strings.Trim(base64.URLEncoding.EncodeToString(data), "=")
In addition to the Auth0 documentation, more information is available on the OAuth 2.0 PKCE in IETF RFC-7636: