Issue with PKCE Implementation and JWT Exchange in Auth0
Hello Auth0 Community,
I’m encountering issues with the PKCE implementation when trying to exchange a code for a JWT in my application. Here’s the situation:
My Implementation:
- I successfully generate the
code_verifier
andcode_challenge
values. - The
code_challenge
is included in the initial login request, and I get redirected to the Auth0 login page. - My logic supports silent authentication, so the
code_challenge
is included throughout the process.
The Problem:
- If login fails on the first attempt, the user is redirected back to my application. I then reuse the same
code_challenge
from the initial request and prompt the login again. - After a successful login, I receive the code and state as expected.
Here’s where things get confusing:
- When I attempt to exchange the received code for a JWT from my app, the request fails.
- However, if I take the exact same request and send it via Postman, it works perfectly.
Another Concern:
I’m also puzzled by how PKCE is handled in some scenarios:
- If I don’t include a
code_challenge
in the initial login request, I can still receive a code. - When I attempt to exchange the code for a JWT (providing a
code_verifier
), Auth0 doesn’t reject the request, even though thecode_challenge
was never provided in the first place.
I expected Auth0 to reject the flow if a code_challenge
wasn’t specified during the initial login, since it seems crucial for PKCE validation.
Questions:
- Why does the code exchange work in Postman but fail in my application? Are there potential app configuration issues I might be overlooking? or my app isn’t giving time to Auth0 to storage or validate the code_challenge?
- Is this behavior with PKCE expected? Shouldn’t Auth0 enforce the use of the
code_challenge
if code_verifier was provided in the post request to exchange by the JWT?
the purpose of the PKCE is to ensure that the authorization code can only be exchanged by the application that made the authorization request, but it’s the application responsibility to properly implement this security measure.
Require a code_challenge and code_verifier on auth code with PKCE grant
But then if I provide the code_verifier with a code that never got a code challenge, is up to Auth0 responsibility to fail the request. Otherwise, what would be the point of PKCE if Auth0 doesn’t verify it.
I already went through this and I am not doing multiple request. The request get JWT always fails with An error occurred while processing the request.: {"error":"invalid_grant","error_description":"Failed to verify code verifier"}
if I run it from my app. I have tested different methods and always fails. Testing with the same code_challenge and code_verify my app generates works from postman.
I’d greatly appreciate any guidance or clarification on these issues.