Failed to verify code verifier

rueben.tiow · January 27, 2023, 6:55pm

Problem statement

I am having issues with my Authorization code with PKCE flow, specifically, I am getting the “Failed to verify code verifier” error.

Symptoms

“Failed to verify code verifier” error

Cause

Calling the /authorize endpoint more than once (for example: forcing login more than once)

Solution

tl;dr: We recommend checking your application to make sure it does not make more than one login request.

Explanation:
When you make a login request, it saves the code_verifier in a cookie and sends the code_challenge to the /authorize endpoint.

If you call a login request multiple times, it will keep saving a new code_verifier which will override the previous one. It will also keep sending the browser to a new /authorize URL. If this happens, there is no guarantee that the code_challenge parameter in the /authorize URL will match the code_verifier cookie you have saved.

In short, you will need to make sure that the app only calls the login method once to log in. To reiterate, calling the login request method multiple times in quick succession will be prone to errors like the Invalid code verifier error you have observed.

See below for clarity:

// This is OK
function login() {
  loginWithRedirect();
}

// This will be error prone
function login() {
  loginWithRedirect();
  loginWithRedirect();
  loginWithRedirect();
}

rueben.tiow · January 27, 2023, 6:56pm