Authorization Code Flow with PKCE - Using express backend 404

ibrahimsam96 · February 17, 2022, 3:26am

Express app running on http://localhost:6001 receiving requests from electron application on http://localhost:5000.

Authentication process:

Authorization Code Flow with PKCE - Authorizing the user(native app) and receive the authorization code in the url callback.

Decode it and then use it in the POST /oauth/token .

However, I’m receiving 404 error "Request failed with status code 400" when I call the GET /authorize endpoint.

const express = require("express");
const cors = require("cors");
import * as crypto from 'crypto';
import { nanoid } from 'nanoid'
import axios from 'axios';

const bodyParser = require ('body-parser');
const app = express();
var port = 6001;

app.use(cors());
app.use(bodyParser());
app.listen(port, () => console.log(`Example app listening on port ${port}!`));

app.get("/authorize", async (req: any, res: any, next:any) => {
  // Creates verifier 
  function base64URLEncode(str: Buffer) {
    return str.toString('base64')
      .replace(/\+/g, '-')
      .replace(/\//g, '_')
      .replace(/=/g, '');
  }
  var verifier = base64URLEncode(crypto.randomBytes(32));
  // Generate a code_challenge
  function sha256(buffer: string) {
    return crypto.createHash('sha256').update(buffer).digest();
  }
  var challenge = base64URLEncode(sha256(verifier));

  var nonce = nanoid();

  await axios.get(`https://dev-49v8whrc.us.auth0.com/authorize?response_type=code&
        client_id=----------------------&
        prompt=none&
        connection=Username-Password-Authentication&
        redirect_uri=http://localhost:6001/authorize&
        nonce=${nonce}&
        code_challenge=${challenge}&
        code_challenge_method=S256`).then((authCode: any) => res.send(authCode) ).catch((err) => res.send(err))

});

SaqibHussain · February 17, 2022, 8:27am

Hi @ibrahimsam96

Welcome to Auth0 Community. It’s great to have you on board.

It sounds like there’ll be an issue with the request that you’re making if you’re getting a 400. If you have a native app I’m assuming we cannot review the browser dev tools to have a look at the request that’s being sent? Maybe you can put some logging in to the backend code, analyse the /authorize request that’s being sent and ensure it looks something like this along with the correct parameters https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-using-the-authorization-code-flow-with-pkce#authorization-url-example

It might also be worth taking the request that you’re making and send it across via a curl command to help troubleshoot the issue.

Feel free to let us know if you still have issues with this.
Regards.

ibrahimsam96 · February 17, 2022, 5:36pm

Hey Saqib!

EDIT: I think I’m using the /authorize endpoint incorrectly. As noted in doc it should redirect back from an IdP and so i’m using the Username-Password-Authentication as a connection. I will get back to this when I do the Google and Microsoft logins, Thanks for looking into this!

konrad.sopala · February 18, 2022, 10:28am

Sure let us know if you have other questions down the road!

system · March 5, 2022, 10:28am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.