PKCE Verification Failed Intermittent C#

Questions
#1

Okta Dev Community,

I have an intermittent issue with my implementation of Authorization Code flow with a Proof Key for Code Exchange (PKCE) [Overview | Okta Developer](Okta Guide Auth with Code PKCE). I have implemented this flow with native C++ desktop apps with great success and high reliability but I am trying to make a C# desktop app work the same way and I am getting intermittent success and failure with the following error:

{"error":"invalid_grant","error_description":"PKCE verification failed."}

My rate of success right now seems to be 60% failure to 40% success. The flow always fails after the POST to request the “access_token” and “id_token”. I don’t change anything in my code, for any consecutive tries but my success rate is around the same. I have searched online extensively with no success and my C# experience is limited, this seems to be the closest thing to an answer but I already tried “asycn” with “await” with no greater success [https://github.com/okta/okta-oidc-js/issues/804](PKCE Code Verification Failure).

Any ideas on what’s going on? (see code below)

Thanks in advance for the help!

Snippet of my code below

private async void completeAuth()
{
string tokenURL = orgURL + “oauth2/v1/token”;

try
{
    var client = new RestClient(tokenURL);
    client.Timeout = -1;
    var request = new RestRequest(Method.POST);
    request.AddHeader("Accept", "application/json");
    request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
    request.AddParameter("grant_type", "authorization_code");
    request.AddParameter("client_id", clientID);
    request.AddParameter("redirect_uri", redirectURL);
    request.AddParameter("code", code);
    request.AddParameter("code_verifier", codeVerifier);
    IRestResponse response = await client.ExecuteAsync(request);
    string resStr = response.Content;

    Console.WriteLine(resStr);
    if (resStr.Contains("id_token"))
    {
        Console.WriteLine("Success");
    }
}
catch (Exception e)
{
    Console.WriteLine("Error while POSTING");
}

}

#2

Hello,
I would guess that there could be an issue with the code around your code_challenge/verification. Do you see a pattern like if the app starts up fresh the first login works, after that the next fails etc.

If you are looking to code the client portion of a pkce flow for a desktop app, we don’t have a C# sample that I am aware of but you might look at this sample. It shows a sample command client app that starts a mini web server and does a pkce flow.

1 Like
#3

Thanks for the reply. I think you hit the nail in the head with the issue. I ran 15 test and recorded the Code Verifier and Code Challenge. For some reason the flow fails if my code challenge contains any ‘+’ or ‘/’ char in the SHA265 Base 64 string . I double checked some of the failures with this online tool [SHA generator](SHA Generator) and they seem to be good. The code I used for creating the Code Verifiers is more or less the same I used in C++ with consistent success.

I guess if the special char are the issue, how do I stay away from them in the Code Challenge? I am at least ensuring the State and Code verifiers are URL safe but once I input hash the string I am not confident what is coming out is URL safe. Maybe I am way off, see the examples below.

Any additional guidance is welcomed, thanks a lot!

PKCE_Login_Failure
PKCE_Login_Failure1328×408 309 KB

#4

Success!!!

Still don’t know why but I guess the C++ code I use is already taking this into account. From the sample code provided by Erik above I was able to see the string is not only replacing ‘=’ with empty spaces but also ‘+’ with ‘-’ and ‘/’ with ‘_’. I updated my code to do the same and I just had 5 consecutive successful attempts.

Thanks a lot for the support!

function base64url(str){
return str.replace(/+/g, ‘-’).replace(///g, ‘_’).replace(/=+$/, ‘’);
}