cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
We love to hear how every person gets the most from Dropbox, and it seems everyone has a slightly different use for it - tell us yours here!

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

error: invalid code verifier

error: invalid code verifier

mk29
Explorer | Level 3

Hi. I'm developing a C++ application that needs to connect to Dropbox. I'm stuck at implementing OAuth. As documentation suggests:

code_challenge String?(min_length=43, max_length=128) Part of the PKCE flow, the challenge should be an SHA-256 (S256) encoded value of a string that will serve as the code_verifier of the corresponding /oauth2/token call. Can can also be set to plain (plain).

My understanding was that this means I need to generate a random string with minimum 43 characters and hash it using SHA-256 and that will give me code_challenge. But when I call /oauth2/token I get this error:

 

 

 

 

{"error_description": "invalid code verifier", "error": "invalid_grant"}

 

 

 

 

Then found this article that says this is the correct way to calculate code_challenge:

 

 

 

 

Base64UrlEncode(SHA256Hash(code_verifier))

 

 

 

 

Which means I had to take an extra step and encode the hashed value. Tried this but the same message is returned. These are the values I'm sending:

 

 

 

 

code_verifier -> 2LORVR1BWsWNkUuLISmv28MR44bYCiq39mU5m8QuzKM
code_challenge -> YzY0Y2EwZTRlZDgwMTUwZWYxMzE2ZDQwZTJkMjQ0NWUxMDVlN2JlZWU2M2EzMjM3NjVmZTVhZmM2YzZlMjgyNw

 

 

 

 

 I have checked my code_challenge with online calculators and it's correct. I would appreciate it if someone could explain to me why I am getting this error.

3 Replies 3

Re: error: invalid code verifier

Greg-DB
Dropboxer

That code_challenge value does not appear to be correct for that code_verifier value. I tried plugging "2LORVR1BWsWNkUuLISmv28MR44bYCiq39mU5m8QuzKM" into https://tonyxu-io.github.io/pkce-generator/ as the "Code Verifier" and got a "Code Challenge" of "xkyg5O2AFQ7xMW1A4tJEXhBee-7mOjI3Zf5a_GxuKCc".

 

Also, make sure you're using the "Code Challenge" on the /oauth2/authorize URL, and are passing the "Code Verifier" to /oauth2/token, and not the other way around.

Re: error: invalid code verifier

mk29
Explorer | Level 3

Thanks for fast reply.

How strange! I used this link for sha256 and then copied the output to base64url encoder to check my chode_challange and it was ok. I guess I'm missing something here.

And for the second part of your answer, I'm doing exactly as you said.

Re: error: invalid code verifier

Greg-DB
Dropboxer

I confirmed that https://tonyxu-io.github.io/pkce-generator/ generates a correct code challenge that Dropbox accepts, so it sounds like there's something wrong in the process you were using.

 

It looks like the issue is that the "SHA-256 hash calculator" is presenting the hash with hex encoding, which should not be used in the process of generating the code challenge. The app needs to base64URL-encode the binary value, not the hex-encoded value.

Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropboxer
  • User avatar
    mk29 Explorer | Level 3
What do Dropbox user levels mean?
Need more support?