When implementing the Authorization Code with a Proof Key for Code Exchange (PKCE) flow, the following error message may display:
error: invalid_request
error_description: PKCE code challenge contains illegal characters.
- OAuth2.0
- OpenID Connect (OIDC)
- Proof Key for Code Exchange (PKCE)
- Authorization Code
- API Access Management
When the Authorization Code with a PKCE (Proof Key for Code Exchange) flow is implemented, a Code Challenge that is a Base64-encoded SHA-256 hash of the code verifier (a random URL-safe string with a minimum length of 43 characters) needs to be provided.
According to the Augmented Backus-Naur Form (ABNF) definition for Code Challenge, a code_challenge cannot contain any characters that are not included in the list of unreserved characters as found in this IETF documentation.
ABNF for "code_challenge" is as follows:
code-challenge = 43*128unreserved (A sequence that must be between 43 and 128 characters long)
unreserved = ALPHA / DIGIT / SPECIAL_CHARACTERS
ALPHA = %x41-5A / %x61-7A (Any uppercase (A-Z) or lowercase (a-z) letter)
DIGIT = %x30-39 (Any number from 0 to 9)
SPECIAL_CHARACTERS = “-”, “.”, “_”, and “~”If the Code Challenge contains any characters that are not included in the list of unreserved characters, then Okta will produce the referenced error when making the authorize call.
To resolve this error, please validate and ensure that the Code Challenge is not generated with the characters that are not included in the list of unreserved characters. This validation can be achieved with the help of regular expression.
