PKCE challenge not working

I am trying to connect to the Asana API using OAuth. I have everything else running ok, but when I try PKCE it doesn’t work.

I first generate a code verifier. After some googling this is the code I have. $code_verifier = rtrim(strtr(base64_encode(random_bytes(64)), '+/', '-_'), '='); I send this to the token exchange. Then I hash this and base64url encode it and pass that on to the authorization request from the browser.

$hashed = hash('sha256', $code_verifier, true);
$code_challenge = rtrim(strtr(base64_encode($hashed), '+/', '-_'), '=');
 $url = $asana_client->dispatcher->oauthClient->getAuthenticationUrl(
                OAuthDispatcher::$AUTHORIZATION_ENDPOINT,
                $asana_client_redirect_url,
                array(
                    'state' => $state,
                    'code_challenge' => $code_challenge,
                    'code_challenge_method' => 'S256'
                )
            );
$result = $asana_client->dispatcher->oauthClient->getAccessToken(
                    OAuthDispatcher::$TOKEN_ENDPOINT,
                    'authorization_code',
                    array(
                        'code' => $_GET['code'],
                        'redirect_uri' => $asana_client_redirect_url,
                        'code_verifier' => $current_verifier
                    )
                );

But I get back a 400 error “invalid grant” with the description “The PKCE code_verifier does not match the stored code challenge.”

Weirdly enough if I don’t send the code verifier to the token exchange point it works. Is it supposed to be like that? Seems weird to me but also like a pretty big bug if it isn’t supposed to be like that.

Am I doing something wrong? All the googling I did and my own double checking makes it seem like this is what I’m supposed to do…any help would be appreciated.

[quote=“Eitan1 bcbsfl, post:1, topic:799530, full:true”]
I am trying to connect to the Asana API using OAuth. I have everything else running ok, but when I try PKCE it doesn’t work.

I first generate a code verifier. After some googling this is the code I have. $code_verifier = rtrim(strtr(base64_encode(random_bytes(64)), '+/', '-_'), '='); I send this to the token exchange. Then I hash this and base64url encode it and pass that on to the authorization request from the browser.

$hashed = hash('sha256', $code_verifier, true);
$code_challenge = rtrim(strtr(base64_encode($hashed), '+/', '-_'), '=');
 $url = $asana_client->dispatcher->oauthClient->getAuthenticationUrl(
                OAuthDispatcher::$AUTHORIZATION_ENDPOINT,
                $asana_client_redirect_url,
                array(
                    'state' => $state,
                    'code_challenge' => $code_challenge,
                    'code_challenge_method' => 'S256'
                )
            );
$result = $asana_client->dispatcher->oauthClient->getAccessToken(
                    OAuthDispatcher::$TOKEN_ENDPOINT,
                    'authorization_code',
                    array(
                        'code' => $_GET['code'],
                        'redirect_uri' => $asana_client_redirect_url,
                        'code_verifier' => $current_verifier
                    )
                );

But I get back a 400 error “invalid grant” with the description “The PKCE code_verifier does not match the stored code challenge.”

Weirdly enough if I don’t send the code verifier to the token exchange point it works. Is it supposed to be like that? Seems weird to me but also like a pretty big bug if it isn’t supposed to be like that.

Am I doing something wrong? All the googling I did and my own double checking makes it seem like this is what I’m supposed to do…any help would be appreciated.
[/quote]

Hello, @Eitan1

You’re on the right track with your implementation of PKCE for OAuth with Asana, but the error suggests a mismatch between the code_verifier and the code_challenge. Here’s a simplified version of the steps you should follow to ensure they match:

Generate Code Verifier:

$code_verifier = rtrim(strtr(base64_encode(random_bytes(64)), ‘+/’, ‘-_’), ‘=’);

Create Code Challenge:

$hashed = hash(‘sha256’, $code_verifier, true);
$code_challenge = rtrim(strtr(base64_encode($hashed), ‘+/’, ‘-_’), ‘=’);

Send Code Challenge: Include the code_challenge in the authorization request to Asana.
Exchange Code for Token: When exchanging the code for a token, ensure you send the original code_verifier that you generated in step 1.

Here’s a key point to check: Make sure that the code_verifier you’re sending in the token exchange is the exact same one you used to generate the code_challenge initially. Any discrepancy between these values will result in the error you’re seeing.

Also, ensure that the code_verifier is not being modified or re-encoded before it’s sent in the token exchange request. It should be sent as plain text, exactly as it was generated.

If you’re still encountering issues, it might be helpful to use a tool like Postman to manually perform the steps and verify each part of the process. This can help isolate where the mismatch is occurring.

Remember, the code_verifier should not be hashed or modified when sending it in the token exchange; it should be the same value you started with.

Best Regard,
diana658hill

thank you for the help. I thought I was sending the correct code_verifier but it seems I was somehow sending the wrong one. Fixed it now and it works fine. thank you

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.