Forum Discussion

mk29's avatar
mk29
Explorer | Level 3
4 years ago

error: invalid code verifier

Hi. I'm developing a C++ application that needs to connect to Dropbox. I'm stuck at implementing OAuth. As documentation suggests:

code_challenge String?(min_length=43, max_length=128) Part of the PKCE flow, the challenge should be an SHA-256 (S256) encoded value of a string that will serve as the code_verifier of the corresponding /oauth2/token call. Can can also be set to plain (plain).

My understanding was that this means I need to generate a random string with minimum 43 characters and hash it using SHA-256 and that will give me code_challenge. But when I call /oauth2/token I get this error:

 

 

 

 

{"error_description": "invalid code verifier", "error": "invalid_grant"}

 

 

 

 

Then found this article that says this is the correct way to calculate code_challenge:

 

 

 

 

Base64UrlEncode(SHA256Hash(code_verifier))

 

 

 

 

Which means I had to take an extra step and encode the hashed value. Tried this but the same message is returned. These are the values I'm sending:

 

 

 

 

code_verifier -> 2LORVR1BWsWNkUuLISmv28MR44bYCiq39mU5m8QuzKM
code_challenge -> YzY0Y2EwZTRlZDgwMTUwZWYxMzE2ZDQwZTJkMjQ0NWUxMDVlN2JlZWU2M2EzMjM3NjVmZTVhZmM2YzZlMjgyNw

 

 

 

 

 I have checked my code_challenge with online calculators and it's correct. I would appreciate it if someone could explain to me why I am getting this error.

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    That code_challenge value does not appear to be correct for that code_verifier value. I tried plugging "2LORVR1BWsWNkUuLISmv28MR44bYCiq39mU5m8QuzKM" into https://tonyxu-io.github.io/pkce-generator/ as the "Code Verifier" and got a "Code Challenge" of "xkyg5O2AFQ7xMW1A4tJEXhBee-7mOjI3Zf5a_GxuKCc".

     

    Also, make sure you're using the "Code Challenge" on the /oauth2/authorize URL, and are passing the "Code Verifier" to /oauth2/token, and not the other way around.

    • mk29's avatar
      mk29
      Explorer | Level 3

      Thanks for fast reply.

      How strange! I used this link for sha256 and then copied the output to base64url encoder to check my chode_challange and it was ok. I guess I'm missing something here.

      And for the second part of your answer, I'm doing exactly as you said.

      • Greg-DB's avatar
        Greg-DB
        Icon for Dropbox Staff rankDropbox Staff

        I confirmed that https://tonyxu-io.github.io/pkce-generator/ generates a correct code challenge that Dropbox accepts, so it sounds like there's something wrong in the process you were using.

         

        It looks like the issue is that the "SHA-256 hash calculator" is presenting the hash with hex encoding, which should not be used in the process of generating the code challenge. The app needs to base64URL-encode the binary value, not the hex-encoded value.