"Failed to verify code verifier" Error after Users Authenticates

Last Updated: Aug 20, 2024

Overview

After configuring an application to use the Authorization Code with PKCE 23 flow, several users are getting the following error message after they authenticate:

Failed to verify code verifier.

Applies To

  • Authorization Code
  • /authorize endopoint

Cause

When calling the /authorize endpoint multiple times in quick succession, the error message above may be returned.

Solution

Avoid making more than one login request:

  • when making a login request, it saves the code_verifier in a cookie and sends the code_challenge to the /authorize endpoint.
  • when a login request is made multiple times. It will keep saving a new code_verifier, which will override the previous one. It will also keep sending the browser to a new authorize URL.
    • If this happens multiple times, the authorize URL with its code_challenge parameter will match the code_verifier cookie previously saved.

Ensure the app only calls the login method once to log in. Making a login request method multiple times in quick succession will be prone to errors (like the Invalid code verifier errors).

  • NOTE: The code challenge and the code_verifiers are different.

The following example demonstrates this error:

// This is ok
function login() {
  loginWithRedirect();
}

// This will be error prone
function login() {
  loginWithRedirect();
  loginWithRedirect();
  loginWithRedirect();
}