# OAuth2 error: authorization_code missing PKCE challenge

- **ID:** `api/oauth2-authorization-code-missing-pkce`
- **Domain:** api
- **Category:** auth_error
- **Error Code:** `invalid_grant`
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

Authorization code request did not include a code_challenge parameter, but the authorization server requires PKCE for all public clients.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| OAuth2 RFC 7636 | active | — | — |
| Spring Security 6.1+ | active | — | — |
| Keycloak 22+ | active | — | — |
| Auth0 2023+ | active | — | — |
| Okta 2023+ | active | — | — |

## Workarounds

1. **Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python:
import hashlib, base64, secrets
code_verifier = secrets.token_urlsafe(64)
code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode()
Then include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.** (90% success)
   ```
   Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python:
import hashlib, base64, secrets
code_verifier = secrets.token_urlsafe(64)
code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode()
Then include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.
   ```
2. **If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.** (85% success)
   ```
   If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.
   ```

## Dead Ends

- **** — PKCE is a separate security extension; scopes are unrelated. (70% fail)
- **** — If the client is public, the server still enforces PKCE regardless of client_secret. (50% fail)
- **** — Most providers enforce PKCE by default and do not allow disabling. (30% fail)