Fixed OAuth2 - Public flow - grant is always invalid

stromb0li

Well-known member
Affected version
2.3.4
I am trying to follow OAuth2 public flow and I seem to always receive back provided_code_verifier_does_not_match_code_challenge when trying to obtain an access token.

Here's my code in generating the verify and challenge (it's in dart):
Code:
  // Generate a random code verifier
  String _generateCodeVerifier() {
    final random = Random.secure();
    final values = List<int>.generate(32, (i) => random.nextInt(256));
    return base64Url.encode(values).replaceAll('=', '');
  }

  // Generate the code challenge using SHA256
  String _generateCodeChallenge(String codeVerifier) {
    final bytes = utf8.encode(codeVerifier);
    final digest = sha256.convert(bytes);
    return base64Url.encode(digest.bytes).replaceAll('=', '').replaceAll('+', '-').replaceAll('/', '_');
  }

Here's some logging:

Generated Code Verifier: wofdKaweqJeBB9DA_wZ6eglJA4iibkFpxwgWh704hSo
Generated Code Challenge: S7tN52SMWcbeV5wOKLUoF1ZwfhQtup8z36c4Wbpm9U8

Authorization URL: https://example.com/oauth2/authorize?response_type=code&client_id=12345&redirect_uri=https://example.com/auth/signIn&scope=user:read&code_challenge=S7tN52SMWcbeV5wOKLUoF1ZwfhQtup8z36c4Wbpm9U8&code_challenge_method=S256

Reply received: https://example.com/auth/signIn?code=NLhzsA6rh6rLVsax-tjtyVr2hom8RQSH
Authorization code received: NLhzsA6rh6rLVsax-tjtyVr2hom8RQSH

Retrieved Code Verifier: wofdKaweqJeBB9DA_wZ6eglJA4iibkFpxwgWh704hSo

Exchanging authorization code for tokens...
Token URL: https://example.com/api/oauth2/token
Headers: {Content-Type: application/x-www-form-urlencoded}
Body: {grant_type: authorization_code, code: NLhzsA6rh6rLVsax-tjtyVr2hom8RQSH, redirect_uri: https://example.com/auth/signIn, client_id: 12345, code_verifier: wofdKaweqJeBB9DA_wZ6eglJA4iibkFpxwgWh704hSo}

Failed to exchange authorization code for tokens:

JSON:
{
    "errors": [
        {
            "code": "invalid_grant",
            "message": "provided_code_verifier_does_not_match_code_challenge",
            "params": []
        }
    ]
}
 
Last edited:
Sorry to bubble up, but this is critically blocking me on development. Can I get confirmation if this is user error or a bug? From all my testing, it appears this is a bug, as if I use the same code against another identity provider, it works perfect.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.5).

Change log:
Fix issue where code challenges for public OAuth2 clients could not be verified
There may be a delay before changes are rolled out to the XenForo Community.
 
Back
Top Bottom