{ "id": "api/oauth2-authorization-code-missing-pkce", "signature": "OAuth2 error: authorization_code missing PKCE challenge", "signature_zh": "OAuth2 错误:授权码缺少 PKCE 挑战", "regex": "OAuth2 error: authorization_code missing PKCE challenge", "domain": "api", "category": "auth_error", "subcategory": null, "root_cause": "Authorization code request did not include a code_challenge parameter, but the authorization server requires PKCE for all public clients.", "root_cause_type": "generic", "root_cause_zh": "授权码请求未包含 code_challenge 参数,但授权服务器要求所有公共客户端使用 PKCE。", "versions": [ { "version": "OAuth2 RFC 7636", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Spring Security 6.1+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Keycloak 22+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Auth0 2023+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Okta 2023+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "PKCE is a separate security extension; scopes are unrelated.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "If the client is public, the server still enforces PKCE regardless of client_secret.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "", "why_fails": "Most providers enforce PKCE by default and do not allow disabling.", "fail_rate": 0.3, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python:\nimport hashlib, base64, secrets\ncode_verifier = secrets.token_urlsafe(64)\ncode_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode()\nThen include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.", "success_rate": 0.9, "how": "Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python:\nimport hashlib, base64, secrets\ncode_verifier = secrets.token_urlsafe(64)\ncode_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode()\nThen include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.", "condition": "", "sources": [] }, { "action": "If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.", "success_rate": 0.85, "how": "If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python:\nimport hashlib, base64, secrets\ncode_verifier = secrets.token_urlsafe(64)\ncode_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode()\nThen include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.", "If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://datatracker.ietf.org/doc/html/rfc7636", "official_doc_section": null, "error_code": "invalid_grant", "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2024-03-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }