Invalid authorization code with PKCE

Description

Our OAuth flow worked prior to adding PKCE support, this is part 2 of https://devforum.zoom.us/t/pkce-code-challenge-method-not-supported/51510

The redirection is followed and I have a code, so I’m now at step 2 attempting to submit the code to get an access token: https://marketplace.zoom.us/docs/guides/auth/oauth#step-2-request-access-token

but the endpoint https://zoom.us/oauth/token returns “reason”:“Invalid authorization code {code}”,“error”:“invalid_request”

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth

Which Endpoint/s?
https://zoom.us/oauth/token

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. GET https://zoom.us/oauth/authorize?response_type=code&state={state}&code_challenge={code_challenge}&code_challenge_method=sha256&client_id={client_id}&redirect_uri={redirect_uri}

  2. Redirect / 302 to {redirect_uri}?code={code}&state={state}

  3. POST https://zoom.us/oauth/token
    in body as (application/x-www-form-urlencoded):
    grant_type=authorization_code
    code={code}
    code_verifier={code_verifier}
    redirect_uri={redirect_uri}

I’ve also tried encoding all parameters in the Url (as suggested in another post), but the response is the same “Invalid authorization code”:

POST https://zoom.us/oauth/token?grant_type=authorization_code&code={code}&code_verifier={code_verifier}&redirect_uri={redirect_uri}

Update:
I’ve refined my code changes so the only differences between an oauth flow that I’ve confirmed works* and the above steps are:
Calling https://zoom.us/oauth/authorize - add code_challenge and code_challenge_method parameters
Calling https://zoom.us/oauth/token add code_verifier

*Authorization / Content-Type are correct etc

so the problem does seem to be PKCE-related?

1 Like

Hey @AJW,

Thank you for reaching out to the Zoom Developer Forum. I’m tracking an issue similar to this but based on initial information, yours seems to be a bit different.

Please send an email to developersupport@zoom.us with a link to this thread. In that email, please include the token URL that you’re using as well as the authorization header. I’ll use that to investigate further.

Thanks,
Max