Within PKCE flow: At the second step my request has:
headers = “content-type”: “application/json”]
parameterDictionary = “grant_type” : “authorization_code”, “client_id” : clientId, “code_verifier”: codeVerifier, “code”: authorizationCode, “redirect_uri”: redirectUri].
The App is Native.
Token Endpoint Authentication Method is set to none.
I have an error “invalid grant” with an error description “Failed to verify code verifier” from time to time (so I can’t reproduce it every time).
Are there any suggestions on what to check?
If it does not happen every time, but you are still able to reproduce it on a test/development environment then you should try to capture the actual values being sent in order to know if the issue is that you’re sending a code verifier that then fails to the match the one associated with the code or if for example a code verifier is not even being sent (for example, an empty string). It’s likely that is the first option, but at least you’ll prove it for real.
Having confirmed that a verifier is being sent the next step would be to manually verify it against the code challenge that was sent in the authorize request. If it fails validation then you likely have a state management issue in the client application where it causes the wrong verifier to be sent (for example, it uses the verifier of an old request instead of the latest one).