invalid_grant
api
auth_error
ai_generated
true
OAuth2 错误:授权码缺少 PKCE 挑战
OAuth2 error: authorization_code missing PKCE challenge
ID: api/oauth2-authorization-code-missing-pkce
85%修复率
88%置信度
1证据数
2024-03-12首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OAuth2 RFC 7636 | active | — | — | — |
| Spring Security 6.1+ | active | — | — | — |
| Keycloak 22+ | active | — | — | — |
| Auth0 2023+ | active | — | — | — |
| Okta 2023+ | active | — | — | — |
根因分析
授权码请求未包含 code_challenge 参数,但授权服务器要求所有公共客户端使用 PKCE。
English
Authorization code request did not include a code_challenge parameter, but the authorization server requires PKCE for all public clients.
官方文档
https://datatracker.ietf.org/doc/html/rfc7636解决方案
-
Generate a code_verifier (random 43-128 chars) and its SHA-256 hash as code_challenge during the authorization request. Example in Python: import hashlib, base64, secrets code_verifier = secrets.token_urlsafe(64) code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b'=').decode() Then include code_challenge=SHA256_hash and code_challenge_method=S256 in the authorization URL.
-
If using a library like `requests-oauthlib`, enable PKCE by setting `include_pkce=True` in the OAuth2 session initialization.
无效尝试
常见但无效的做法:
-
70% 失败
PKCE is a separate security extension; scopes are unrelated.
-
50% 失败
If the client is public, the server still enforces PKCE regardless of client_secret.
-
30% 失败
Most providers enforce PKCE by default and do not allow disabling.