Auth0 - Failed to verify code verifier Error

Help
1

I’m writing a script which uses auth0 to authenticate with a remote API.

Following this tutorial:
https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce

import (
	"crypto/rand"
	"crypto/sha256"
	"encoding/base64"
    "strings"
)

func genAuth0CodeVerifierChallance() (string, string) {

	// Generate random Code Verifier
	c := make([]byte, 32)
	rand.Read(c)
	code := base64.StdEncoding.EncodeToString(c)
	code = strings.Replace(code, "+", "-", -1)
	code = strings.Replace(code, "/", "_", -1)
	code = strings.Replace(code, "=", "", -1)

	// Generate auth0 challange
	ch := sha256.Sum256([]byte(code))
	challange := base64.StdEncoding.EncodeToString(ch[:])
	challange = strings.Replace(challange, "+", "-", -1)
	challange = strings.Replace(challange, "/", "-", -1)
	challange = strings.Replace(challange, "=", "", -1)

	return code, challange
}

I use that function to generate a code challenge, for example eQM2dqasJN3-gXcM0g1Se-CmAn8PyU7c5uHRKU7Exa0

I make a HTTP Post with the payload

p := &payloadData{
    	GrantType:    "authorization_code",
    	ClientId:     "...............................", (removed)
    	CodeVerifier: codeChallenge, 
    	Code:         code, (example: AuL3ArApgQ4QDu_9)
    	RedirectUri:  "http://127.0.0.1:16272/oauth/token",
}

...marshal json...

req, _ := http.NewRequest("POST", "https://my-app.eu.auth0.com/oauth/token", bytes.NewBuffer(payload))

I get the error:

{403 Forbidden 403…

{“error”:“invalid_grant”,“error_description”:“Failed to verify code verifier”}

Other references to this have said characters weren’t properly url encoded/replaced in the base64 encoded challenge.

I’ve tried with the following two encoding’s for /

code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "_", -1)
code = strings.Replace(code, "=", "", -1)

and

code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "-", -1)
code = strings.Replace(code, "=", "", -1)

But I always get:

{“error”:“invalid_grant”,“error_description”:“Failed to verify code verifier”}

2

I printed the requests to the terminal and the code challenge looks the same, but I still get the error.

Code request:

https://my-app.eu.auth0.com/authorize?scope=openid+profile+email&audience=http://google_api&response_type=code&client_id=A...removed...E&code_challenge=McWomaHCn9RA4--uMGFhsl4HHNcVTfjSVZCtaR-62cM&code_challenge_method=S256&redirect_uri=http://127.0.0.1:36576/auth0/authenticate/

Payload:

{"grant_type":"authorization_code","client_id":"A...removed...E","code_verifier":"McWomaHCn9RA4--uMGFhsl4HHNcVTfjSVZCtaR-62cM","code":"owv8vm8Sz0JPPq5Z”,”redirect_uri":"http://127.0.0.1:36576/oauth/token"}

Token request:

req, _ := http.NewRequest("POST", "https://my-app.eu.auth0.com/oauth/token", bytes.NewBuffer(payload))

Error:

{"error":"invalid_grant","error_description":"Failed to verify code verifier"}
3

I got super frustrated at trying to generate my own verifier and challenge. Then I stumbled on Online PKCE Generator Tool which let me compare a working generator to my own. Lo and behold I was using Ruby’s hexdigest for the SHA256 instead of just digest which was making my challenge always wrong. I did have to read RFC 7636: Proof Key for Code Exchange by OAuth Public Clients VERY closely to fully understand how to implement this solution but I finally got it to work!