By: attila boncser user 24 Sep 2019 at 5:21 a.m. CDT

1 Response
attila boncser gravatar
Expected behaviour: According to PKCE RFC in case the code_challange_method is missing from the Authorization request (Auth code flow), but code_challenge is present, the OP should default the method to "plain". excerpt from RFC: > code_challenge_method > OPTIONAL, defaults to "plain" if not present in the request. Code > verifier transformation method is "S256" or "plain". How it works: If code_challenge_method is missing from the Authorization request, the PKCE validation fails and the OP returns error, despite matching code verifier and code challenge. Reproduce: Create test client on Gluu with basic config (working redirect uri, ex., scope, response types). Send Authorization request. param | value -- | -- client_id | "client-id" redirect_uri | response_type | code scope | openid code_challenge | abcd1234 Send Token request with same values, in case of plain code_challenge_method, code_challenge = code_verifier, so use same value as code_verifier in token request (used basic auth for token endpoint). param | value -- | -- grant_type | authorization_code redirect_uri | code | "code-from-authorization" scope | openid code_verifier | abcd1234 The response returns invalid grant: { "error": "invalid_grant", "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." } In logs the following can be seen: PKCE check fails. Code challenge does not match to request code verifier, Excerpt from log: [ rizeRestWebServiceImpl] ( - Attempting to request authorization: acrValues = null, amrValues = null, originHeaders = null, codeChallenge = **zN0ugtnm3DnY40yssZv9PY6JeAzjMdvB7M1hoveu1S5BypL2uJZzG1rZKtvRrG5IfZhGEYMw0Vn4jNaXhwccIeaFdlrZzv3tijecGaZKksAU01AY78otMNZGX5Ym9T68**, codeChallengeMethod = null, customRespHeaders = null, claims = null, tokenBindingHeader = null ... Put authorization grant in cache, code: **60913ec3-1735-417f-9295-a339fad2d55c**, clientId: @!208E.8D83.ECD8.EAE5!0001!1530.E766!0008!A1BA.5D81.6CC9.33C6 Attempting to request access token: grantType = authorization_code, code =**60913ec3-1735-417f-9295-a339fad2d55c**, redirectUri =, username = null, refreshToken = null, clientId = null, ExtraParams = {**code=[60913ec3-1735-417f-9295-a339fad2d55c]**, redirect_uri=[], grant_type=[authorization_code], code_verifier=[zN0ugtnm3DnY40yssZv9PY6JeAzjMdvB7M1hoveu1S5BypL2uJZzG1rZKtvRrG5IfZhGEYMw0Vn4jNaXhwccIeaFdlrZzv3tijecGaZKksAU01AY78otMNZGX5Ym9T68], scope=[openid]}, isSecure = true, codeVerifier = zN0ugtnm3DnY40yssZv9PY6JeAzjMdvB7M1hoveu1S5BypL2uJZzG1rZKtvRrG5IfZhGEYMw0Vn4jNaXhwccIeaFdlrZzv3tijecGaZKksAU01AY78otMNZGX5Ym9T68, ticket = null [] ( - AuthorizationCodeGrant : 'AbstractAuthorizationGrant{user=org.xdi.oxauth.model.common.User@607f0791, authorizationCode=org.xdi.oxauth.model.common.AuthorizationCode@13d9b5a6, client=org.xdi.oxauth.model.registration.Client@2c688c33, grantId='6ed7ba30-49b3-4aa1-8c13-f7ba5da67cb4', nonce='null', acrValues='null', sessionDn='oxAuthSessionId=a65549a7-5a72-45ed-9514-675585f84c95,ou=session,o=@!208E.8D83.ECD8.EAE5!0001!1530.E766,o=gluu', **codeChallenge='zN0ugtnm3DnY40yssZv9PY6JeAzjMdvB7M1hoveu1S5BypL2uJZzG1rZKtvRrG5IfZhGEYMw0Vn4jNaXhwccIeaFdlrZzv3tijecGaZKksAU01AY78otMNZGX5Ym9T68**', **codeChallengeMethod='null'**, authenticationTime=Tue Sep 24 09:33:15 CEST 2019, scopes=[openid], authorizationGrantType=authorization_code, tokenBindingHash=null, claims=null}' 2019-09-24 11:52:29,930 TRACE [qtp1094834071-12] [] ( - **PKCE validation, code_verifier: zN0ugtnm3DnY40yssZv9PY6JeAzjMdvB7M1hoveu1S5BypL2uJZzG1rZKtvRrG5IfZhGEYMw0Vn4jNaXhwccIeaFdlrZzv3tijecGaZKksAU01AY78otMNZGX5Ym9T68, code_challenge: zN0ugtnm3DnY40yssZv9PY6JeAzjMdvB7M1hoveu1S5BypL2uJZzG1rZKtvRrG5IfZhGEYMw0Vn4jNaXhwccIeaFdlrZzv3tijecGaZKksAU01AY78otMNZGX5Ym9T68, method: null** 2019-09-24 11:52:29,930 ERROR [qtp1094834071-12] [] ( - **PKCE check fails. Code challenge does not match to request code verifier**, grantId:6ed7ba30-49b3-4aa1-8c13-f7ba5da67cb4, **codeVerifier: zN0ugtnm3DnY40yssZv9PY6JeAzjMdvB7M1hoveu1S5BypL2uJZzG1rZKtvRrG5IfZhGEYMw0Vn4jNaXhwccIeaFdlrZzv3tijecGaZKksAU01AY78otMNZGX5Ym9T68** I believe the reason might be the matched method check in ``` if (Strings.isNullOrEmpty(codeChallenge) || codeChallengeMethod == null || Strings.isNullOrEmpty(codeVerifier)) { return false; } ``` On an additional note, I tried to set code_challenge_method to plain with my requests and then it worked as expected.

By Yuriy Zabrovarnyy staff 24 Sep 2019 at 6:37 a.m. CDT

Yuriy Zabrovarnyy gravatar
You are right, right now oxauth requires to specify `code_challenge_method` explicitly and if it's not set then validation is failed. Opened improvement ticket to fallback to `plain` method if nothing is specified in request. It will be fixed in 4.0. Thanks, Yuriy Z