invalid_grant
api
auth_error
ai_generated
true
OAuth2 error: authorization_code missing PKCE challenge
ID: api/oauth2-authorization-code-missing-pkce
85%Fix Rate
88%Confidence
1Evidence
2024-03-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| OAuth2 RFC 7636 | active | — | — | — |
| Spring Security 6.1+ | active | — | — | — |
| Keycloak 22+ | active | — | — | — |
| Auth0 2023+ | active | — | — | — |
| Okta 2023+ | active | — | — | — |
Root Cause
Authorization code request did not include a code_challenge parameter, but the authorization server requires PKCE for all public clients.
generic中文
授权码请求未包含 code_challenge 参数,但授权服务器要求所有公共客户端使用 PKCE。
Official Documentation
https://datatracker.ietf.org/doc/html/rfc7636Workarounds
-
90% success Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python: import hashlib, base64, secrets code_verifier = secrets.token_urlsafe(64) code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode() Then include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.
Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python: import hashlib, base64, secrets code_verifier = secrets.token_urlsafe(64) code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode() Then include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.
-
85% success If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.
If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.
中文步骤
Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python: import hashlib, base64, secrets code_verifier = secrets.token_urlsafe(64) code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode() Then include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.
If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.
Dead Ends
Common approaches that don't work:
-
70% fail
PKCE is a separate security extension; scopes are unrelated.
-
50% fail
If the client is public, the server still enforces PKCE regardless of client_secret.
-
30% fail
Most providers enforce PKCE by default and do not allow disabling.