Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

The Code_Verifier does not match the code_challenge

See original GitHub issue

Library

  • msal@1.x.x or @azure/msal@1.x.x
  • @azure/msal-browser@2.x.x
  • @azure/msal-node@1.x.x
  • @azure/msal-react@1.x.x
  • @azure/msal-angular@0.x.x
  • @azure/msal-angular@1.x.x
  • @azure/msal-angular@2.x.x
  • @azure/msal-angularjs@1.x.x

Framework

  • Angular
  • React
  • Other

Description

Error Message

Uncaught (in promise) ServerError: invalid_grant: 501481 - [2021-03-19 13:18:03Z]: AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request.

MSAL Configuration

const initMsal = ({msalConfig}) => {
  const postLogoutRedirectUri =
    process.env.AZURE_AD_REDIRECT_URL + '?redirectTo=' + origin + '/logout'

  const auth = {
    postLogoutRedirectUri,
    cloudDiscoveryMetadata,
    authorityMetadata,
    ...msalConfig.auth
  }

  const cache = {cacheLocation: 'localStorage', ...msalConfig.cache}
  const config = {...msalConfig, auth, cache}

  return new PublicClientApplication(config)
}

Reproduction steps

I’m using silent SSO and using a cross-domain postMessage broker to retrieve the login hint. The first time the page is loaded (clean cache) I get the above error. It would further seem that the user is actually logged in: .getAllAccounts() has an account and the next load logs the user in instantly. Didn’t include code as it doesn’t seem pertinent, would be happy to provide anything necessary.

Expected behavior

The user should log in with no interaction

Identity Provider

  • Azure AD
  • Azure B2C Basic Policy
  • Azure B2C Custom Policy
  • ADFS
  • Other

Browsers/Environment

  • Chrome
  • Firefox
  • Edge
  • Safari
  • IE
  • Other (Please add browser name here)

Regression

  • Did this behavior work before? Version:

Security

  • Is this issue security related?

Source

  • Internal (Microsoft)
  • Customer request

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
tnorlingcommented, Apr 7, 2021

Found that the application code is passing in state with the current url and making several ssoSilent requests. On the 2nd call to the /authorize endpoint this url stored in state somehow has the response hash from the first call to the /authorize endpoint this results in a response url that has 2 codes in it: the code returned from the server and the code from the first call that was added to state. This resulted in a mismatch when exchanging the code for a token.

Mitigations are to:

  1. Strip the hash off of the url before passing into state
  2. Make sure the page used as redirectUri is not invoking msal APIs or altering the hash on page load (you can use a blank page for silent and popup scenarios)

MSAL should be blocking auth requests inside hidden iframes so it’s not clear how the 2nd call is getting the response url from the first.

1reaction
tnorlingcommented, Mar 19, 2021

@mbrevda This is likely a usage issue, can you provide as much relevant code so that I can try to reproduce? Also a fiddler trace would be helpful so I can check against server logs. You can email it to me, my emails on my profile. Thanks!

Read more comments on GitHub >

github_iconTop Results From Across the Web

IdentityServer4 PKCE error: "Transformed code verifier does ...
but I cannot find the code in the repositories for the ToCodeChallenge method. Why doesn't my manually generated challenge match the one used...
Read more >
The code_verifier sent does not match code_challenge ...
I'm using the code_verifier value same as the code_challenge used to obtain the auth code. Wondering why Ping Fed need Code Challenge and...
Read more >
Value passed for the code verifier did not match the code ...
I want to get a access token and a refresh token in Postman. But I am confuse that the API always reports that:...
Read more >
PKCE Code verifier is incorrect for Angular 12 production build
... experiencing: Running everything locally in dev build -> IdentityServer says: Transformed code verifier does not match code challenge
Read more >
IdentityServer/IdentityServer4 - Gitter
hey @Arkatufus I'm getting a Transformed code verifier does not match code challenge error now when trying to request an access_token after authorization ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

@azure/msal-browser PublicClientApplication - AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

Next page

No logout redirect after closing and reopening browser