Auth0 Home Blog Docs

Is code_challenge Base64 SHA256 encoded or not?


#1

Pretty much as the title…
is code_challenge when doing the mobilenative login flow Base64 SHA256 encoded or not Base64?


#2

Hey there @jez.becker!

Have you checked our docs? Based on what I can see here:

and looking at this precise code snippet, it is encoded:

function sha256(buffer) {
    return crypto.createHash('sha256').update(buffer).digest();
}
var challenge = base64URLEncode(sha256(verifier));

Hope it helps!


#3

Yep, not my language (I’m in As3) so I missed it. Thanks…

Doesn’t help me though unfortunatly, even base64 encoded it reckons my code_chalenge isn’t right…
thanks anyway!


#4

Hey Jez, thanks for the question. From looking at the docs it might help to ensure you are doing Base64URL encoding as that differs from simple Base64 encoding. You can see in the first code snippet linked that there is a function to do the URL encoding version.


#6

Hey @mike.fitzbaxter - I still get no love from auth0 I’m afraid.

Here’s an example code_verifier and code_challenge pair… from that code verifier - can you tell me what auth0 is expecting?

code_verifier
MQT4fQwRdlOZ94qEZx5lDMyDpPTKBuXZ2F7ZkQw2I

code_verifer_sha256 (once sha256 encoded - included here justfor completion’s sake)
ed7c3390e15e33746a70947dc80564beda711571bf1cd469ca277a1d92c2f99d

code_challenge (Base64 encoded SHA256 hash of the above verifier - submitted to auth0)
ZWQ3YzMzOTBlMTVlMzM3NDZhNzA5NDdkYzgwNTY0YmVkYTcxMTU3MWJmMWNkNDY5Y2EyNzdhMWQ5MmMyZjk5ZA==
(and I have submitted this both in this raw form and url encoded)

…and for even more detail - here is the authorization_code that I get which is submitted along with the code_challenge in step 7 of the Mobile / log in flow…
AQAxX7p88RjhNRE1zx39EdOkYU-n8eQEwBV1TydmnaZJjrCWPdFQsCkSa78byiTtdfLNTeGjI8opiK11jWk1-KhDDIskzkxlljEzUh-xMMUPBaC3j9clwrX5Hzp8yfgUmuHzqkhzaVncUPAGtOl3-LyOsFZlkJ92suJTs28I3XEh2cpbLZ3GJbtgvZvr4kaHhcyH8zNPHw73RAZQ1bVw4C73TIQG5VRL8xsH0jy8HujW01f7EqPR1jsydpo-D4SFAYuDW-gNzBNhi6V3zzrogUWrSImExOxX-PlVRC0-xengbE4l9mH_Ox9k7JUZgr0e3L4

your help is greatly appreciated

Addendum:
Does the token request have to come from the same sandboxed webview as the authorize request to be valid?
(I’ve tried it both ways - but it would be good to know)