Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

PKCE flow does not work

See original GitHub issue

Describe the bug Using provider with specify PKCE auth flow does not work. A provider such Okta expects a PKCE flow to work, this flow expect the follow params:

client_id=0oapu4btsL2xI0y8y356 &redirect_uri=http://localhost:3000/api/auth/callback/okta &response_type=id_token token &response_mode=fragment &state=SU8nskju26XowSCg3bx2LeZq7MwKcwnQ7h6vQY8twd9QJECHRKs14OwXPdpNBI58 &nonce=Ypo4cVlv0spQN2KTFo3W4cgMIDn6sLcZpInyC40U5ff3iqwUGLpee7D4XcVGCVco &scope=openid profile email

Using the protection: "pkce" config, does not seems to work, it also removes the param state. I tried to create a custom provider, but I could not find any logic where the nonce param is set.

Steps to reproduce I’ve used the Okta provider and tried with and without the protection: "pkce".

Expected behavior protection: “pkce” should have the follow changes:

keep the state param
add nonce param
response_type changed to id_token token code
add response_mode = fragment

Screenshots or error logs Error provided on next console does not match the errors returned by the okta api. The real erros from the api would be complaining about missing params.

Feedback there is a great doc about PKCE with okta here: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce

Found the documentation helpful
Found documentation but was incomplete
Could not find relevant documentation
Found the example project helpful
Did not find the example project helpful

Issue Analytics

State:
Created 3 years ago
Comments:11 (10 by maintainers)

Top GitHub Comments

1reaction

viniciuscrcommented, Mar 16, 2021

When using the protection: "pkce" I got this: http://localhost:3000/api/auth/callback/okta?error=invalid_request&error_description=The+authentication+request+has+an+invalid+%27state%27+parameter.

without protection: "pkce" I got this: http://localhost:3000/api/auth/callback/okta?state=2e828fc976033919e8f99caee9c4774ca469d5359a650fbe9d3b5af09cfe7b04&error=invalid_request&error_description=PKCE+code+challenge+is+required+when+the+token+endpoint+authentication+method+is+%27NONE%27.

using the custom provider I got this: http://localhost:3000/api/auth/callback/okta#error=invalid_request&error_description=The+%27nonce%27+parameter+is+required+for+authorize+requests+with+either+the+%27id_token%27+or+%27token%27+response+types..

the params expected for okta with PKCE are the follow: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#replace-implicit-flow-with-pkce

Nextjs console gives me:

https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 400,
  data: `{"error":"invalid_request","error_description":"The token request must specify a 'grant_type'. Valid values: [authorization_code, implicit]"}`
}

adding

 params: {
        grant_type: "authorization_code" ..

gives me :

https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 400,
  data: '{"error":"invalid_grant","error_description":"The authorization code is invalid or has expired."}'
}

But, again, this next-auth erros, does not match the response from okta.

I do remember seeing the same params for Azure B2C.

0reactions

ranjeetthoratcommented, Nov 19, 2021

@viniciuscr is this resolved