Setting code_verifier in the Auth0Provider?

Hello,

I’m trying to create an Auth0 login page in React. For that, I have been following this tutorial with a few changes: Auth0 React SDK Quickstarts: Login

My problem here is that in the redirect_uri field of the Auth0Provider I’m setting my backend api uri that is in .Net Core, so I can manage token and user info request there. It seems to work well, it receives the code and state strings.

But when I try to call to oauth/token from there, it seems that it also needs a code_verifier, since it seems that the Auth0 SPA SDK has a mandatory PKCE flow. So the problem is that I haven’t that code_verifier in my backend, so I can’t request a token. And using the auth0provider, or auth0client doesn’t seem to work, those generate an internal code_verifier and I can’t access it.

Is there any way of sending the verifier to my redirect_uri? Or to disable PKCE?
Thanks

1 Like

@xecollons, did you ever find the solution to getting the code_verifier on the backend? My Logs show still show

"description": "Parameter 'code_verifier' is required",

Using the React SDK with a Spring Boot backend. The ‘code_verifier’ is never returned on the GET request for my callback endpoint. It seems like in the flow described here, the front end is send ing the code and the code_verifier to the oauth token endpoint. I think this means the front end is now making the POST, instead of the callback endpoint? Is there an example of this code using the SDK or is it all suppose to be baked in?

  <Auth0Provider
    domain="dev-tssmqhl8h73vprd3.us.auth0.com"
    clientId="Hdep9CwaCp7yAferZs4JW6fAZM9nKjJC"
    authorizationParams={{
      redirect_uri: "http://127.0.0.1:8000/api/oauth2/callback",
    }}
    useRefreshTokens={true}
    cacheLocation="localstorage"
    usePKCE={true}
  >
    <App />
  </Auth0Provider>
    @GetMapping ("/oauth2/callback")
    public HttpResponse<String> getredirect(@RequestParam("code") String code, jakarta.servlet.http.HttpServletRequest httpServletRequest) throws URISyntaxException, IOException, InterruptedException {
        String codeVerifier = httpServletRequest.getParameter("code_verifier");
        String requestBody = "grant_type=authorization_code&client_id=" + clientId + "&client_secret=" + clientSecret + "&code=" + code + "&redirect_uri=" + redirectURI + "&code_verifier=" + codeVerifier;
        System.out.println("Request String" + requestBody + "Code Verifier" + httpServletRequest);
        HttpRequest request = HttpRequest.newBuilder()
                .uri(new URI("https://dev-tssmqhl8h73vprd3.us.auth0.com/oauth/token"))
                .POST(HttpRequest.BodyPublishers.ofString(requestBody))
                .header("content-type", "application/x-www-form-urlencoded")
                .version(HttpClient.Version.HTTP_2)
                .build();
        HttpResponse<String> response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
        System.out.println("Response" + response);
            return response;
    }

The code_verifier is null. It is also my understanding SPAs need to use PCKE, which although mentioned at a high level, I don’t believe it’s included in the SDK quickstart or tutorial with code examples.

My apologies if this is PEBKAC. :sweat_smile:

Were you ever able to figure this out? I’m so confused D: