PKCE verification failed - Using 'code' after login

I’m currently working in xamarin.forms c#

I’ve been getting the ‘PKCE verification failed’ error every time I try and get a ‘refresh token’ from the /token endpoint. I’m really new to this so any help would be appreciated.

Currently, the ‘code’ I’m using comes from me putting ‘code’ as one of the response types in the /authorize endpoint and then I get that out of the result’s properties.

My call looks like this:


the codeVerifier is the same one I used with authorize.

Thanks in advance!

My suggestion would be to open a support case so you could supply the Org Id, client id the entire /authorize and /token call. It would make it easier to look into.

If not can you supply the full /authorize call minus the Org Url and client id, along with the full /token call minus the Org Url.
Supplying the code_challenge/Verifier/code should be fine as these values will be unique to this transaction.

Sounds like this is the problem then. The “code verifier” used in the token request is not the same thing as the “code challenge” which you provide in the authorization request. Take a look at the step by step here.

Also make sure you are not sending the parameters to the token endpoint in the URL, they should be POST body parameters.

Sorry, I meant that the code_verifier was the same one I used to generate the code_challenge. Not that I used it as the code_challenge.

I may have to talk with the admin on the account and see if the client secret he gave me is accurate. That’s the only thing I can think of at this point.

Okay, make sure you’re sending these as POST body parameters though.

You can also double check your implementation of calculating the PKCE code challenge against this tool: PKCE Tools The most common errors I see are forgetting to use the URL-safe base64 encoding or forgetting to trim off the = at the end.

1 Like

Okay, so I wasn’t trimming the ‘=’, still getting the same error though, and using that tool I can verify that I’m calculating the code challenge properly. Thanks!

I am sending this as a POST with these settings:

    myReq.ServerCertificateValidationCallback = delegate { return true; };
                myReq.Method = WebRequestMethods.Http.Post;
                myReq.Accept = "application/json";
                myReq.ContentType = "application/x-www-form-urlencoded";
                myReq.SendChunked = false;

Is this line disabling TLS cert validation? Unrelated, but that’s not a good idea in general.

myReq.ServerCertificateValidationCallback = delegate { return true; };

Where are you actually setting the URL and request body?