Auth0 Home Blog Docs

Is code_challenge Base64 SHA256 encoded or not?


Pretty much as the title…
is code_challenge when doing the mobilenative login flow Base64 SHA256 encoded or not Base64?


Hey there @jez.becker!

Have you checked our docs? Based on what I can see here:

and looking at this precise code snippet, it is encoded:

function sha256(buffer) {
    return crypto.createHash('sha256').update(buffer).digest();
var challenge = base64URLEncode(sha256(verifier));

Hope it helps!


Yep, not my language (I’m in As3) so I missed it. Thanks…

Doesn’t help me though unfortunatly, even base64 encoded it reckons my code_chalenge isn’t right…
thanks anyway!


Hey Jez, thanks for the question. From looking at the docs it might help to ensure you are doing Base64URL encoding as that differs from simple Base64 encoding. You can see in the first code snippet linked that there is a function to do the URL encoding version.


Hey @mike.fitzbaxter - I still get no love from auth0 I’m afraid.

Here’s an example code_verifier and code_challenge pair… from that code verifier - can you tell me what auth0 is expecting?


code_verifer_sha256 (once sha256 encoded - included here justfor completion’s sake)

code_challenge (Base64 encoded SHA256 hash of the above verifier - submitted to auth0)
(and I have submitted this both in this raw form and url encoded)

…and for even more detail - here is the authorization_code that I get which is submitted along with the code_challenge in step 7 of the Mobile / log in flow…

your help is greatly appreciated

Does the token request have to come from the same sandboxed webview as the authorize request to be valid?
(I’ve tried it both ways - but it would be good to know)