Auth0 PKCE Grant Can't verify code verifier

Question

I have a client side application that I want to authorize using Auth0, and I'm using the workflow described here:

https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce

The only wrinkle is that I am using python and so I wrote my own challenge/verifier pair.

def base64URLEncode(random_bytes):
    return urlsafe_b64encode(random_bytes)


def sha256(buffer):
    m = hashlib.sha256()
    m.update(buffer)
    return m.digest()

verifier = base64URLEncode(secrets.token_bytes(32))
challenge = base64URLEncode(sha256(verifier))

The app is a Flask command line app that opens a page for the user to log in with google in their web browser, then listens on the redirect URI for the response code.

I construct the URL to start the authorization like this:

url = DOMAIN + urllib.parse.urlencode(params)
webbrowser.open(url)

I get back the code from the google login, however when I try to exchange the code for an access token:

payload = {
    'grant_type': 'authorization_code',
    'client_id': CLIENT_ID,
    'code_verifier': verifier,
    'code': code,
    'redirect_uri': 'http://localhost:5001/get_code'
}
res = requests.post("https://cidc-test.auth0.com/oauth/token", json=payload)

I get back an error of the following type:

{'error': 'invalid_grant', 'error_description': 'Failed to verify code verifier'}

I'm not sure why the verifier is bad, since checking it locally, the verifier digests to the same value as the challenge.

Answer 1

Ok it turns out this was a specific problem with Auth0, Auth0 doesn't want the padding character at the end of the base64 encoded string. My code works once that is added.