Last Updated: Aug 20, 2024
Overview
After configuring an application to use the Authorization Code with PKCE 23 flow, several users are getting the following error message after they authenticate:
Failed to verify code verifier.
Applies To
- Authorization Code
- /authorize endopoint
Cause
When calling the /authorize endpoint multiple times in quick succession, the error message above may be returned.
Solution
Avoid making more than one login request:
- when making a login request, it saves the code_verifier in a cookie and sends the code_challenge to the /authorize endpoint.
when alogin request is made multiple times. It will keep saving a new code_verifier, which will override the previous one. It will also keep sending the browser to a new authorize URL.- If this happens multiple times, the authorize URL with its code_challenge parameter will match the code_verifier cookie previously saved.
Ensure the app only calls the login method once to log in. Making a login request method multiple times in quick succession will be prone to errors (like the Invalid code verifier errors).
- NOTE: The code challenge and the code_verifiers are different.
The following example demonstrates this error:
// This is ok
function login() {
loginWithRedirect();
}
// This will be error prone
function login() {
loginWithRedirect();
loginWithRedirect();
loginWithRedirect();
}