Okta - PKCE Verification Failed while requesting token

-
Let me clear a few concepts before I dive into the resolution for "PKCE Verification Failed"
  • "Authorization Code" flow is an OAuth 2.0 flow, wherein an authorization code is issued by the Authorization Server. This code is used for requesting access tokens, used for accessing the protected resources. Authorization code is exchanged through the front-channel and is susceptible to interception attacks.
  • PKCE, which stands for "Proof Key for Code Exchange", is a way to protect from interception attacks while trying to fetch tokens using authorization codes.
  • In PKCE, the client generates a code verifier and a hashed value of it called code challenge. While requesting the authorization code, a code challenge is sent to the server, which the server persists. While requesting the access token, the client sends a code verifier. The server hashes the verifier and compares it with the challenge. Thus ensuring the request came from the client.

While requesting access token using the authorization endpoint /token, I received the following response.

{
    "error": "invalid_grant",
    "error_description": "PKCE verification failed"
}
It turns out that Okta has a bug wherein, not all code verifiers work for access token requests. To get past this error, you need to try it with a different verifier and challenge.

Comments

Post a Comment

Popular posts from this blog

How to Timeout JDBC Queries

-
Image
JDBC queries by default do not have any timeout, which means that a query can block the thread for an unlimited amount time; of course, depending upon the DB load and the cost of the query. It is a good practice to timeout these queries if they can take longer than a certain amount of time.
Read more