Invalid code_verifier in PKCE Flow for OAuth2 Authorization

hawthorne91 230 Reputation points
2024-08-20T14:53:05.2333333+00:00

Hi, I'm currently trying to use the PKCE (Proof Key for Code Exchange) method of obtaining an access token outlined on this Microsoft tutorial. Whenever I try to login to B2C to obtain the authorization code, I receive the following error after logging in:

AADB2C90183: The supplied code_verifier is invalid

I'm not sure how to address this error so I wanted to see if anyone could provide insight on how to fix the issue. I've tried two different websites to generate the code_challenge and code_verifier values however I still receive the same errors. The format of the link I use is below.

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user-flow}/oauth2/v2.0/authorize?
client_id=
&response_type=code
&redirect_uri=_
&scope=_
&code_challenge=_
&code_challenge_method=S256

When I remove the code_challenge and code_challenge_method query parameters, the URL allows for a proper login and returns a code, but to return tokens a client_secret is required, which I do not want to happen. How should I go about addressing this issue?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,927 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,198 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 8,095 Reputation points Microsoft Vendor
    2024-08-23T09:48:23.48+00:00

    Hello @hawthorne91,

    Thank you for posting your query on Microsoft Q&A.

    I see that you are using the OAuth 2.0 authorization code flow in Azure Active Directory B2C, utilizing Proof Key for Code Exchange (PKCE). However, you're encountering an error that states, "AADB2C90183: The supplied code_verifier is invalid" whenever you attempt to log into your application.

    I tried replicating the issue in my environment to check if there might be a problem with the code verifier on the Azure AD B2C side. However, I was able to successfully generate the code and request an ID token without any issues.

    You mentioned that you've tried generating the code_challenge and code_verifier using two different websites. Could you please let me know which websites you used? I'd like to generate the values from those same websites to see if I can replicate the issue you're experiencing.

    Based on the error message, it seems that the code_challenge or code_verifier values you're using are invalid, which is why you're encountering this error.

    Since you are using a user flow, I recommend generating the code_challenge and code_verifier directly from Azure AD B2C rather than relying on other websites. Here are the steps to generate these values from Azure AD B2C:

    1. Register the SPA Application: Register the SPA application
    • Sign in to the Azure portal.
    • If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
    • In the Azure portal, search for and select Azure AD B2C.
    • Select App registrations, and then select New registration.
    • Enter a Name for the application. For example, spaapp1.
    • Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows)
    • Under Redirect URI, select Single-page application (SPA), and then enter https://jwt.ms in the URL text box.
    • Under Permissions, select the Grant admin consent to openid and offline_access permissions check box.
    • Select Register.

    2. Create a User Sign-Up and Sign-In User Flow: Create a sign-up and sign-in user flow

    • Follow the documentation to create a sign-up and sign-in user flow.
    • Once the user flow is created, click on Run user flow.
    • Expand the PKCE configuration section to view the code_challenge and code_verifier values. Refer to the screenshot below for guidance.User's image

    3. Get the Authorization Code:

    • Modify the URL below by replacing {tenant_name}, {policy}, {client_id}, and code_challenge with your tenant name, user flow name, application client ID, and the generated code_challenge value:
    https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user-flow}/oauth2/v2.0/authorize?client_id=<appID>&response_type=code&redirect_uri=https://jwt.ms&response_mode=query&scope=openid offline_access&state=12345&code_challenge=<enter_the_value_here>&code_challenge_method=S256
    
    • Open the modified URL in a new tab and complete the authentication process to get the authorization code.

    4. Redeem the Code for an ID Token:

    • Once you have the code, use it to redeem an ID token by sending a POST request to the token endpoint. You can use Postman for this. Below is an example of the request:
    POST https://{{Tenant}}.b2clogin.com/{{Tenant}}.onmicrosoft.com/{{policy}}/oauth2/v2.0/token
    

    Include the following parameters in the request:

    client_id:{{Client_ID_B2C}}
    grant_type:authorization_code
    scope:openid offline_access
    code:{{Code}}
    redirect_uri:https://jwt.ms
    code_verifier:{{Code_Verifier}}
    

    User's imagePlease follow these steps, and let me know if you still encounter the "AADB2C90183: The supplied code_verifier is invalid" error.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Thanks,

    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.