I’m writing a script which uses auth0 to authenticate with a remote API.
Following this tutorial:
https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"strings"
)
func genAuth0CodeVerifierChallance() (string, string) {
// Generate random Code Verifier
c := make([]byte, 32)
rand.Read(c)
code := base64.StdEncoding.EncodeToString(c)
code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "_", -1)
code = strings.Replace(code, "=", "", -1)
// Generate auth0 challange
ch := sha256.Sum256([]byte(code))
challange := base64.StdEncoding.EncodeToString(ch[:])
challange = strings.Replace(challange, "+", "-", -1)
challange = strings.Replace(challange, "/", "-", -1)
challange = strings.Replace(challange, "=", "", -1)
return code, challange
}
I use that function to generate a code challenge, for example eQM2dqasJN3-gXcM0g1Se-CmAn8PyU7c5uHRKU7Exa0
I make a HTTP Post with the payload
p := &payloadData{
GrantType: "authorization_code",
ClientId: "...............................", (removed)
CodeVerifier: codeChallenge,
Code: code, (example: AuL3ArApgQ4QDu_9)
RedirectUri: "http://127.0.0.1:16272/oauth/token",
}
...marshal json...
req, _ := http.NewRequest("POST", "https://my-app.eu.auth0.com/oauth/token", bytes.NewBuffer(payload))
I get the error:
{403 Forbidden 403…
{“error”:“invalid_grant”,“error_description”:“Failed to verify code verifier”}
Other references to this have said characters weren’t properly url encoded/replaced in the base64 encoded challenge.
I’ve tried with the following two encoding’s for /
code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "_", -1)
code = strings.Replace(code, "=", "", -1)
and
code = strings.Replace(code, "+", "-", -1)
code = strings.Replace(code, "/", "-", -1)
code = strings.Replace(code, "=", "", -1)
But I always get:
{“error”:“invalid_grant”,“error_description”:“Failed to verify code verifier”}