Periodic invalid_grant in Authorization phase 2

My application will log in some of the type but not nearly all of the time. When it does login things go swimmingly, I get my refresh and access tokens as expect but more than 70% of the time OKTA return and invalid_grant error:

error = "invalid_grant";
"error_description" = "PKCE verification failed.";

When it succeed it’s seems to be no different than when it fails. It uses the exact same code but sometimes okra does like it and sometimes it does. I can’t be the redirect uri because would never work. It’s definitely not the grant_type because it would also never work and it does sometimes. Similarily with the client_id. The authorization code I’m getting from okta so that can’t be it. The only thing left is the code verifier which you would think would be the returned error if that was the problem. I’m stumped and have been for a while.

HELP!

My guess is that it might have something to do how you are generating the code challenge and code verifier for PKCE:

https://developer.okta.com/authentication-guide/implementing-authentication/auth-code-pkce#implementing-the-authorization-code-flow-with-pkce

Are you using one of Okta’s libraries? (iOS or Android) or did you custom build something?

I built something myself.

I would have guessed that as well, but the same code that causes errors also logins (occasionally). I suppose it could be getting it right some of the time and not all. If it’s just the code verifier and the code challenge then all I’ll have to use from okra libraries is the code verifier generator and the sha256 has function.

What language are you working in?

Swift 4 on iOS. Developing for the iPhone.

Can you share how you are generating your code verifier and challenge? Just want to take a look.

Seems to have been the code that generates the code verifier and the app state.

I was using the same method but I guess the app state has a shorter range 32-64 characters vs. 43-128 for the code verifier.