Ory Hydra cannot parse the base64 encoded code_verifier parameter on token request
See original GitHub issueMy Problem
I am trying to implement Code Flow + PKCE, using Ory Hydra as my identity provider. I am unable to retrieve a token. I believe the problem originates with this library and the way it generates the code_verifier
parameter for token request (although I am not certain).
My config:
export const authConfig: AuthConfig = {
issuer: 'http://localhost:4444/',
redirectUri: window.location.origin,
clientId: 'test-client',
responseType: 'code',
scope: 'openid profile',
requireHttps: false,
clearHashAfterLogin: true,
showDebugInformation: true,
};
What works so far is the redirect to login with initCodeFlow()
, I am redirected back to my angular app and then angular-oauth2-oidc
attempts to request the token. This is where it starts to go wrong. The request that is made (I formatted it as CURL because its easy to read):
curl 'http://localhost:4444/oauth2/token' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Referer: http://localhost:4200/' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=authorization_code&code=Sb3VNw4DoshWvNKwcik0c0RnOjULsxNHJdPtIPZ73fc.x1L4xBijtwk9zC_6EPGsPrWplXoNf-tzN6Plr-Fg2-Y&redirect_uri=http://localhost:4200&code_verifier=WIMRUzBojQj8-MYoyvM3IWek99R3OfhDeBYnvFX6witWu&client_id=test-client' \
--compressed
The bit that is apparently not working is this:
code_verifier=WIMRUzBojQj8-MYoyvM3IWek99R3OfhDeBYnvFX6witWu
The response I get from Hydra is this
{
"error":"invalid_grant",
"error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
"error_hint":"Unable to decode code_verifier using base64 url decoding without padding.",
"status_code":400
}
Now tracking this down to their code base the error_hint
field is useful we see this code https://github.com/ory/fosite/blob/master/handler/pkce/handler.go#L176-L203. I’ve also used the Go playground to replicate it: https://play.golang.net/p/vVz7UOVd7-y. I have also noticed if I change the length of the verifier string by 1 character it parses successfully (its 33 characters at the moment).
Have I misconfigured the library somehow? Is this a bug?
Expected behavior A valid token exchange.
Issue Analytics
- State:
- Created 4 years ago
- Comments:9 (4 by maintainers)
Hi @jeroenheijmans after reading the spec, I am close to convinced the
createNonce
function is the culprit here. I created a PR #629 to change how it is implemented to follow what is mentioned in the spec. Ory Hydra does support S256, you can see the implementation here.The modified implementation is like this, I quoted the parts of the spec so you can see my reasoning.
base64UrlEncode
function inbase64-helper.ts
which does usebtoa
.Hi @jeroenheijmans ,I am also facing the same issue posted by @jfyne regarding base64 encoding using with using Ory Hydra as my identity provider
can we have a solution for this as PR already raised by @jfyne @jfyne thanks for the PR and mentioning the details