Pkce with asp.net core 2 web api and xamarin android app

I’m having trouble setting up an Okta native app that uses pkce. I have a .net core 2 web api that is set up to accept jwt tokens per the documentation. In the Okta app, I have set up a native application that uses com.oktapreview.dev-169299:/callback as the login redirect uri. When we construct the call to the authorization url, it returns a session token in a json object after the login. If I put in a redirect_uri that I know will 404, I can get the code from the url and supply that to the /token endpoint in a post, but that returns
{
“error”: “invalid_grant”,
“error_description”: “PKCE verification failed.”
}
Is there a way to test the flow through postman or a web browser?

Also, is there a tutorial that shows how to set up the client in c# (for xamarin)?

We don’t have a sample/quickstarts for xamarin quite yet.

We had a similar question here:

Which illustrates using the OpenID connect / OAuth 2.0 pieces from xamarin. Does that help?

We have documentation on the calls to the token endpoint here: https://developer.okta.com/authentication-guide/implementing-authentication/auth-code-pkce

Also, our postman collection does show how to validate this with Postman (with interceptor):
https://app.getpostman.com/run-collection/4adca9a35eab5716d9f6

Thanks Tom. We’ll look into the xamarin nugget package that supports pkce. We were working off the okta pkce documentation and couldn’t get the access_token as a response from that, just the session_token.

I’ve tried getting the postman collection but it is returning an error saying the collection is not found.

Jeff

Ah, yea, the Authentication API will return a sessionToken, and you need to exchange it with authorize route for an authorization code, which you can exchange for an access token (mouth full)…

To do that, you need to use the authorize route with the sessionToken, and all the PKCE parameters:
https://developer.okta.com/docs/api/resources/oidc#request-parameters

And then exchange the code with all the PKCE parameters for the access token.

Make sense?

I’m not seeing the same error with the postman collection, sometime postman (who hosts the collection, 404s) but I’m currently not seeing it.

Thanks
Tom

Yep, that did the trick. We are able to now get logged in. There is one small issue though. On the first time logging in, we get a err_unknown_url_scheme. If you open the app again, the authentication is complete and everything works. The error will happen again if you clear browsing data and log in. We’ve checked the redirect_uris and the intent settings in the xamarin android app repeatedly but can’t get it to behave properly.

[/uploads/oktadev/original/1X/5836863f1a3dc171f973400d257b973328298454.jpg]

There’s a long-standing bug in Chromium regarding how links without protocols are handled. This error does not have a single solution till date because it arises due to a multitude of reasons. The ERR_UNKNOWN_URL_SCHEME error is commonly because of your browser issue . There’s no application on your device which can handle that particular action. It is a Chromium bug . In Chrome version 40 and up, this bug has resurfaced, but only if you are manually entering the URL of the redirect page in the address bar. The bug in chromium is responsible, yet everytime a patch is added to solve, the error finds a new way to resurface. The issue is on the chromium issue tracker here.

Common solutions:

  • Prefixing your links with http:// (or https://) should resolve the issue in some cases

  • If Err_Unknown_Url_Scheme error occurs in mailto: or tel: links inside an iframe then you can try to add target="_blank" in your URL Scheme.