PKCE with Device Authorization doesn't work for me

jimjonah · January 14, 2025, 9:33pm

Is this expected?

I’m using the Classic Identity Engine. The option to use it is checked.
However, even though I send the code_challenge to the device/authorize endpoint, when I send the code_verifier to the v1/token endpoint (the second step of the flow) I get this error: “PKCE code challenge should be specified in the authorize request for code verification.”

Should PKCE work with this flow? This is for a native CLI application.

andrea · January 14, 2025, 9:54pm

I don’t believe PKCE is compatible with the Device Authorization flow. The RFC states that the Device Authorization endpoint

is separate from the OAuth authorization endpoint defined in [RFC6749] with which the user interacts via a user agent (i.e., a browser).

Post		Replies	Views
PKCE verification failed - Using 'code' after login Questions	7	6850	February 12, 2024
Oidcdebugger & PKCE code verifier is required when the token endpoint authentication method is 'NONE' OAuth/OIDC	3	3373	May 9, 2022
Code verifier and code challenge Questions	3	6645	June 22, 2020
What is Code Verifier and Why? Questions	3	2390	March 23, 2024
OIDC PKCE GoLang CLI OAuth/OIDC	2	2984	February 12, 2024

PKCE with Device Authorization doesn't work for me

Related topics