By: Teemu Kääriäinen user 09 May 2016 at 1:16 a.m. CDT

4 Responses
Teemu Kääriäinen gravatar
Hi, we came across an issue in Gluu login functionality when using OAuth 2.0 PKCE extension. What happens is that as part of the login flow when accessing authorization endpoint, Gluu loses the provided code_challenge and code_challenge_method provided by the client application. The flow is following: 1) Client provides code_challenge and code_challenge_method in the call to authorization endpoint: ``` GET /oxauth/seam/resource/restv1/oxauth/authorize?redirect_uri=com.nixu.mobilesso.mobilessodemo%3A%2F%2Foidc_callback&client_id=********&response_type=code&state=********&scope=openid%20profile%20email&code_challenge=********&code_challenge_method=S256 ``` 2) Gluu responds with HTTP status code 302 and value of Location header indicates that code_challenge and code_challenge_method are no longer present. ``` Location: https://********/oxauth/authorize?scope=openid+profile+email&response_type=code&redirect_uri=com.nixu.mobilesso.mobilessodemo%3A%2F%2Foidc_callback&state=********&client_id=******** ``` Eventually after successful login, when passing code_verifier as part of the call to token endpoint, it responds with HTTP status code 401 and following error payload: ``` "error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." ``` This works OK when user does not need to login.

By Michael Schwartz Account Admin 09 May 2016 at 2:38 a.m. CDT

Michael Schwartz gravatar
Yuriy, can you take a look?

By Yuriy Zabrovarnyy staff 09 May 2016 at 6:14 p.m. CDT

Yuriy Zabrovarnyy gravatar
Fixed in master branch [in commit](

By Teemu Kääriäinen user 10 May 2016 at 4:31 a.m. CDT

Teemu Kääriäinen gravatar
Deployed to our test environment. We will verify this and will get back to you with the test results.

By Teemu Kääriäinen user 10 May 2016 at 5:01 a.m. CDT

Teemu Kääriäinen gravatar
Tested with iOS AppAuth SDK and verified that the fix works. Thank you very much for fixing this. You may close the ticket.