Is code_challenge Base64 SHA256 encoded or not?

jez.becker · January 10, 2019, 1:35pm

Pretty much as the title…
is code_challenge when doing the mobilenative login flow Base64 SHA256 encoded or not Base64?

konrad.sopala · January 10, 2019, 4:44pm

Have you checked our docs? Based on what I can see here:

https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce#2-create-a-code-challenge

and looking at this precise code snippet, it is encoded:

function sha256(buffer) {
    return crypto.createHash('sha256').update(buffer).digest();
}
var challenge = base64URLEncode(sha256(verifier));

Hope it helps!

jez.becker · January 10, 2019, 4:46pm

Yep, not my language (I’m in As3) so I missed it. Thanks…

Doesn’t help me though unfortunatly, even base64 encoded it reckons my code_chalenge isn’t right…
thanks anyway!

mike.fitzbaxter · January 10, 2019, 5:36pm

Hey Jez, thanks for the question. From looking at the docs it might help to ensure you are doing Base64URL encoding as that differs from simple Base64 encoding. You can see in the first code snippet linked that there is a function to do the URL encoding version.

jez.becker · January 11, 2019, 11:43am

Hey @mike.fitzbaxter - I still get no love from auth0 I’m afraid.

Here’s an example code_verifier and code_challenge pair… from that code verifier - can you tell me what auth0 is expecting?

code_verifier
MQT4fQwRdlOZ94qEZx5lDMyDpPTKBuXZ2F7ZkQw2I

code_verifer_sha256 (once sha256 encoded - included here justfor completion’s sake)
ed7c3390e15e33746a70947dc80564beda711571bf1cd469ca277a1d92c2f99d

code_challenge (Base64 encoded SHA256 hash of the above verifier - submitted to auth0)
ZWQ3YzMzOTBlMTVlMzM3NDZhNzA5NDdkYzgwNTY0YmVkYTcxMTU3MWJmMWNkNDY5Y2EyNzdhMWQ5MmMyZjk5ZA==
(and I have submitted this both in this raw form and url encoded)

…and for even more detail - here is the authorization_code that I get which is submitted along with the code_challenge in step 7 of the Mobile / log in flow…
AQAxX7p88RjhNRE1zx39EdOkYU-n8eQEwBV1TydmnaZJjrCWPdFQsCkSa78byiTtdfLNTeGjI8opiK11jWk1-KhDDIskzkxlljEzUh-xMMUPBaC3j9clwrX5Hzp8yfgUmuHzqkhzaVncUPAGtOl3-LyOsFZlkJ92suJTs28I3XEh2cpbLZ3GJbtgvZvr4kaHhcyH8zNPHw73RAZQ1bVw4C73TIQG5VRL8xsH0jy8HujW01f7EqPR1jsydpo-D4SFAYuDW-gNzBNhi6V3zzrogUWrSImExOxX-PlVRC0-xengbE4l9mH_Ox9k7JUZgr0e3L4

your help is greatly appreciated

Addendum:
Does the token request have to come from the same sandboxed webview as the authorize request to be valid?
(I’ve tried it both ways - but it would be good to know)

konrad.sopala · August 29, 2019, 9:39am

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?