“Failed to verify code verifier” Error after Users Authenticates

Issue with PKCE Implementation and JWT Exchange in Auth0

Hello Auth0 Community,

I’m encountering issues with the PKCE implementation when trying to exchange a code for a JWT in my application. Here’s the situation:

My Implementation:

  1. I successfully generate the code_verifier and code_challenge values.
  2. The code_challenge is included in the initial login request, and I get redirected to the Auth0 login page.
  3. My logic supports silent authentication, so the code_challenge is included throughout the process.

The Problem:

  • If login fails on the first attempt, the user is redirected back to my application. I then reuse the same code_challenge from the initial request and prompt the login again.
  • After a successful login, I receive the code and state as expected.

Here’s where things get confusing:

  • When I attempt to exchange the received code for a JWT from my app, the request fails.
  • However, if I take the exact same request and send it via Postman, it works perfectly.

Another Concern:

I’m also puzzled by how PKCE is handled in some scenarios:

  • If I don’t include a code_challenge in the initial login request, I can still receive a code.
  • When I attempt to exchange the code for a JWT (providing a code_verifier), Auth0 doesn’t reject the request, even though the code_challenge was never provided in the first place.

I expected Auth0 to reject the flow if a code_challenge wasn’t specified during the initial login, since it seems crucial for PKCE validation.


Questions:

  1. Why does the code exchange work in Postman but fail in my application? Are there potential app configuration issues I might be overlooking? or my app isn’t giving time to Auth0 to storage or validate the code_challenge?
  2. Is this behavior with PKCE expected? Shouldn’t Auth0 enforce the use of the code_challenge if code_verifier was provided in the post request to exchange by the JWT?

the purpose of the PKCE is to ensure that the authorization code can only be exchanged by the application that made the authorization request, but it’s the application responsibility to properly implement this security measure.
Require a code_challenge and code_verifier on auth code with PKCE grant

But then if I provide the code_verifier with a code that never got a code challenge, is up to Auth0 responsibility to fail the request. Otherwise, what would be the point of PKCE if Auth0 doesn’t verify it.

I already went through this and I am not doing multiple request. The request get JWT always fails with An error occurred while processing the request.: {"error":"invalid_grant","error_description":"Failed to verify code verifier"} if I run it from my app. I have tested different methods and always fails. Testing with the same code_challenge and code_verify my app generates works from postman.

I’d greatly appreciate any guidance or clarification on these issues.

Ok, my bad. Some how I was generating the wrong code_challenge following this instructions.

Add Login Using the Authorization Code Flow with PKCE

Then I decide to use pkce-challenge package and it works out of the box. However, the other problem is still there, when login without code_challenge but request the jwt with code_verifier it doesn’t fail.

Hi Jeff,
Im running into the same issue but Postman also giving me the same error. Wonder if you can shoot me a dm/email and help me with this. I would appreciate that a lot.