Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Ory Hydra cannot parse the base64 encoded code_verifier parameter on token request

See original GitHub issue

My Problem I am trying to implement Code Flow + PKCE, using Ory Hydra as my identity provider. I am unable to retrieve a token. I believe the problem originates with this library and the way it generates the code_verifier parameter for token request (although I am not certain).

My config:

export const authConfig: AuthConfig = {
  issuer: 'http://localhost:4444/',
  redirectUri: window.location.origin,
  clientId: 'test-client',
  responseType: 'code',
  scope: 'openid profile',
  requireHttps: false,
  clearHashAfterLogin: true,
  showDebugInformation: true,
};

What works so far is the redirect to login with initCodeFlow(), I am redirected back to my angular app and then angular-oauth2-oidc attempts to request the token. This is where it starts to go wrong. The request that is made (I formatted it as CURL because its easy to read):

curl 'http://localhost:4444/oauth2/token' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Referer: http://localhost:4200/' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&code=Sb3VNw4DoshWvNKwcik0c0RnOjULsxNHJdPtIPZ73fc.x1L4xBijtwk9zC_6EPGsPrWplXoNf-tzN6Plr-Fg2-Y&redirect_uri=http://localhost:4200&code_verifier=WIMRUzBojQj8-MYoyvM3IWek99R3OfhDeBYnvFX6witWu&client_id=test-client' \
  --compressed

The bit that is apparently not working is this:

code_verifier=WIMRUzBojQj8-MYoyvM3IWek99R3OfhDeBYnvFX6witWu

The response I get from Hydra is this

{
  "error":"invalid_grant",
  "error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
  "error_hint":"Unable to decode code_verifier using base64 url decoding without padding.",
  "status_code":400
}

Now tracking this down to their code base the error_hint field is useful we see this code https://github.com/ory/fosite/blob/master/handler/pkce/handler.go#L176-L203. I’ve also used the Go playground to replicate it: https://play.golang.net/p/vVz7UOVd7-y. I have also noticed if I change the length of the verifier string by 1 character it parses successfully (its 33 characters at the moment).

Have I misconfigured the library somehow? Is this a bug?

Expected behavior A valid token exchange.

Issue Analytics

State:
Created 4 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

8reactions

jfynecommented, Sep 19, 2019

Hi @jeroenheijmans after reading the spec, I am close to convinced the createNonce function is the culprit here. I created a PR #629 to change how it is implemented to follow what is mentioned in the spec. Ory Hydra does support S256, you can see the implementation here.

The modified implementation is like this, I quoted the parts of the spec so you can see my reasoning.

Generate a high entropy cryptographic string, the current implementation looks like it is using just the base64url characters and is not using “.” and “~”.

code_verifier = high-entropy cryptographic random STRING using the unreserved characters [A-Z] / [a-z] / [0-9] / “-” / “.” / “_” / “~” from Section 2.3 of [RFC3986], with a minimum length of 43 characters and a maximum length of 128 characters.

Then base64url encode the high entropy string. So once we have generated our string, base64url encode it to be transmitted. For that I just used the base64UrlEncode function in base64-helper.ts which does use btoa.

The octet sequence is then base64url-encoded to produce a 43-octet URL safe string to use as the code verifier.

3reactions

tech-samcommented, Nov 27, 2019

Hi @jeroenheijmans ,I am also facing the same issue posted by @jfyne regarding base64 encoding using with using Ory Hydra as my identity provider

{
    "error": "invalid_grant",
    "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
    "error_hint": "Unable to decode code_verifier using base64 url decoding without padding.",
    "status_code": 400,
    "error_debug": "illegal base64 data at input byte 44"
}

can we have a solution for this as PR already raised by @jfyne @jfyne thanks for the PR and mentioning the details

Top Results From Across the Web

Common problems - Ory

Spec-compliant OAuth 2.0 and OpenID Connect is hard. Let's take a look how to resolve certain issues.

AuthSession - Expo Documentation

It handles success redirects and extracts all of the data encoded in the URL. ... (the URL to redirect back to your application)...

Download Patch File

github.com/ory/fosite/token/hmac/bytes.go | 38 + . ... nil +} + +// MustParse is like Parse but panics if the string cannot be parsed.

Simple index - piwheels

... robusta-stats pypi-package-prueba os-remas wavestate firstttt asbool renishawwire google-ads-stubs webdepcompress parse-requests neverbounce-sdk rfcdl ...

Signatures - Security Intelligence Center - Juniper Networks

APP:CA:ARCSRV:BCKUP-AUTHSRV-CE, APP: CA ARCserve Backup Authentication Service Invalid Virtual Function Call Arbitrary Code Execution.