Exchange code from PKCE flow

[vzenix]

Hi.

I'm trying to implement a PKCE flow, I can get the code, but I can't exchange it for an access token, i get this error

{
  "error": "invalid_grant",
  "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
  "error_hint": "The PKCE code challenge did not match the code verifier.",
  "status_code": 400
}

I try to use the "login_challenge" as code_verifier for generate the code verifier and get this request using the algorithm code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).

POST https://localhost:4444/oauth2/token

BODY
> grant_type=authorization_code
> code=obC7K0XicCC-iunig-33hPUQIhN4fS9eU3vMe8OfCtA.xWyQbGdMuKa1EV7epkt-h32g-8UzuVEBHpIvEnXZWnw
> code_verifier=rqS-f-CMQQfhhGnVH70X2xB8EpcasKXFaA_vUcXEKN0
> redirect_uri=http://localhost/v1/status
> client_id=myclient_none

HEADERS
> content-type: multipart/form-data;
> origin: http://localhost
> accept: application/json
> cache-control: no-cache
> content-length: 600

[vzenix]

Ok, i find the solution, when start the request i need to add a code_challenge.

The start of flow is with the params

• client_id=.
• response_type=code
• scope=
• redirect_uri=
• scope= example: openid.
• state randon string for prevent cross-site request.
• code_challenge_method=S256.
• code_challenge= is the code challenge used for PKCE at this point.

The end flow

POST https://localhost:4444/oauth2/token

BODY
> grant_type=authorization_code
> code=obC7K0XicCC-iunig-33hPUQIhN4fS9eU3vMe8OfCtA.xWyQbGdMuKa1EV7epkt-h32g-8UzuVEBHpIvEnXZWnw
> code_verifier=Generated from code challenge set on start
> redirect_uri=exaple: http://localhost/v1/status
> client_id=<string>