PKCE multiple retrievals

customautosys · August 17, 2024, 10:37pm

Hi, is there a way to allow the PKCE code to be used a second time after it has already been exchanged?

I’m using auth0 with directus login. The problem is, I also need the auth0 ID token to use in auth0-vue in my app, but directus doesn’t give it back to me after consuming the code. There’s no way to pass an ID token to directus. I’m trying to use the same code after redirect to obtain the ID token again after passing the code to the directus callback, but it doesn’t work and I’m told the code / state is invalid.

Is there any way to allow the PKCE code and state to be used to retrieve the same ID token a 2nd time?

ty.frith · August 20, 2024, 10:18pm

Hey there @customautosys!

The behavior you’re encountering is due to the security design of the OAuth 2.0 protocol, specifically how the Proof Key for Code Exchange (PKCE) flow is implemented. In PKCE, the authorization code (along with the PKCE code verifier) is designed to be a one-time use token. Once the authorization code is exchanged for tokens (ID token, access token, and refresh token), it cannot be used again.

I’m not entirely sure of your environment, but it might be worth looking into getting and using a refresh tokens to perform silent auth in order to get another set of tokens in your app.

Topic		Replies	Views
Use Authorization Code multiple time Get Help management-api , users	3	1503	August 3, 2023
Refresh tokens in PKCE grant flow for Electron Native desktop Get Help	2	3395	December 8, 2018
Log in and get access token using Auth0 React SDK and Authorization Code Flow with PKCE leads to infinite loop Get Help login-experience , new-universal-login-experience	2	1322	September 15, 2023
Using Authorization Code Flow with PKCE with non-native apps Get Help	4	3543	July 5, 2019
auth0 PKCE flow additional access tokens Get Help pkce , ionic2 , native	2	4121	December 14, 2018

PKCE multiple retrievals

Related topics