Error using Authorization code flow for confidential application

Matthew McGuinness

We have been using the Sky raisers edge API in our application. It has been working perfectly with implicit flow authorization. We are trying to get the code flow authorization to work. We have followed the tutorial. however when we try to request the token we get this error.

400 bad request
{[error, invalid_grant]}
{[error_description, Invalid code verifier]}

we are coding in VB.net, does anyone have any suggestions? the code verifier is the same as the one that we pass in at the request authorization stage.

Ben Regier

@Matthew McGuinness

The error message suggests that you're using PKCE and that your code_verifier is not validating the code_challenge you passed earlier. Does that error make sense in your scenario?

Ben Regier

@Matthew McGuinness
Sorry, I mis-read the last line of your post. You said you're using the code challenge and verifier, and that they match.

Just to confirm, the code challenge and verifier should be different - they start with the same value, but the code challenge is hashed and then encoded, while the verifier is not. Is that how you did it?

Matthew McGuinness

@Ben Regier
Hi Ben.

Yes just to clarify, we create a code verifier at the start of the authorization. This is then stored. We then use the code verifier to create the code challenge (which is used at the authorization stage). When we are getting the token we use the stored code verifier (so not the challenge)

Hope this makes sense, so i believe we are doing it correctly.

Ben Regier

@Matthew McGuinness
Well, it certainly sounds like you're doing things correctly. I've used this authorization flow a few times myself and haven't had any issues, so that might leave us in a place where the next thing to do is just double-check all the little details.

• Has this application been added to your environment by an admin?
• Are you hashing with SHA256 and encoding with Base64?
• Are you passing the code_challenge_method parameter, and if so, is it set to S256?
• Can you confirm that the code and verifier match using a different method? For instance, can you hash and encode your verifier using PowerShell or something, and make sure it matches the value you get when you do the same thing in VB.net?
• Are you using the authorization_code grant type?
• Are you including the Authorization header with your encoded application id and secret?
• Are you using the authorization code within five minutes of receiving it?
• Do one more once-over to check code for typos.

Sorry for the scattershot approach! With stuff like this it's easy to make a little mistake somewhere that causes the whole thing to fail.