Authorization Code Flow with PKCE - Using express backend 404

Express app running on http://localhost:6001 receiving requests from electron application on http://localhost:5000.

Authentication process:

Authorization Code Flow with PKCE - Authorizing the user(native app) and receive the authorization code in the url callback.

Decode it and then use it in the POST /oauth/token .

However, I’m receiving 404 error "Request failed with status code 400" when I call the GET /authorize endpoint.

const express = require("express");
const cors = require("cors");
import * as crypto from 'crypto';
import { nanoid } from 'nanoid'
import axios from 'axios';

const bodyParser = require ('body-parser');
const app = express();
var port = 6001;

app.listen(port, () => console.log(`Example app listening on port ${port}!`));

app.get("/authorize", async (req: any, res: any, next:any) => {
  // Creates verifier 
  function base64URLEncode(str: Buffer) {
    return str.toString('base64')
      .replace(/\+/g, '-')
      .replace(/\//g, '_')
      .replace(/=/g, '');
  var verifier = base64URLEncode(crypto.randomBytes(32));
  // Generate a code_challenge
  function sha256(buffer: string) {
    return crypto.createHash('sha256').update(buffer).digest();
  var challenge = base64URLEncode(sha256(verifier));

  var nonce = nanoid();

  await axios.get(`
        code_challenge_method=S256`).then((authCode: any) => res.send(authCode) ).catch((err) => res.send(err))


Hi @ibrahimsam96

Welcome to Auth0 Community. It’s great to have you on board.

It sounds like there’ll be an issue with the request that you’re making if you’re getting a 400. If you have a native app I’m assuming we cannot review the browser dev tools to have a look at the request that’s being sent? Maybe you can put some logging in to the backend code, analyse the /authorize request that’s being sent and ensure it looks something like this along with the correct parameters

It might also be worth taking the request that you’re making and send it across via a curl command to help troubleshoot the issue.

Feel free to let us know if you still have issues with this.

1 Like

Hey Saqib!

EDIT: I think I’m using the /authorize endpoint incorrectly. As noted in doc it should redirect back from an IdP and so i’m using the Username-Password-Authentication as a connection. I will get back to this when I do the Google and Microsoft logins, Thanks for looking into this!


Sure let us know if you have other questions down the road!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.