- "Authorization Code" flow is an OAuth 2.0 flow, wherein an authorization code is issued by the Authorization Server. This code is used for requesting access tokens, used for accessing the protected resources. Authorization code is exchanged through the front-channel and is susceptible to interception attacks.
- PKCE, which stands for "Proof Key for Code Exchange", is a way to protect from interception attacks while trying to fetch tokens using authorization codes.
- In PKCE, the client generates a code verifier and a hashed value of it called code challenge. While requesting the authorization code, a code challenge is sent to the server, which the server persists. While requesting the access token, the client sends a code verifier. The server hashes the verifier and compares it with the challenge. Thus ensuring the request came from the client.
While requesting access token using the authorization endpoint /token, I received the following response.
{
"error": "invalid_grant",
"error_description": "PKCE verification failed"
}
It turns out that Okta has a bug wherein, not all code verifiers work for access token requests. To get past this error, you need to try it with a different verifier and challenge.