You are not following RFC7636 specs for S256 (sha256) code challenge method, but your documentation still refers to RFC7636. We spent 3 hours trying to get an access token using PKCE, only to discover this morning by reading a post in this forum that you don’t apply the sha256() function as per specs, when you apply it to code_verifier to see if it matches code_challenge.
You use base64 instead of base64url encoding, and you apply base64 to the hex sha256() string instead of the binary 256bit hash (see example at the end of the RFC for the expected behavior).
Can you please update the documentation, saying that the implementation is non-standard and putting your example NodeJS code there?
My question: I understand from the other thread that you want to correct this behaviour, do you have already scheduled the correction? When will your PKCE algorithm change? I’m asking so that we can change our code at the same time.
Also, from the RFC:
If the client is capable of using “S256”, it MUST use “S256”, as
“S256” is Mandatory To Implement (MTI) on the server.
Going with “plain” instead of “S256” is a security hole: the whole point of PKCE is trying to prevent that somebody can steal the authorization_code and use it to get a valid access_token…if you put a plain code_challenge next to it, it serves no purpose as an attacker that can steal it as well together with the authorization_code. In fact, you may as well not use PKCE at all.
Invalid authorization code - Invalid grant
Which App Type (OAuth / Chatbot / JWT / Webhook)?