phpoauth-2.0asanapkceasana-api

How to get PKCE challenge working with Asana API


I am trying to connect to the Asana API using OAuth. I have everything else running ok, but when I try PKCE it doesn't work.

I first generate a code verifier. After some googling this is the code I have. $code_verifier = rtrim(strtr(base64_encode(random_bytes(64)), '+/', '-_'), '='); I send this to the token exchange. Then I hash this and base64url encode it and pass that on to the authorization request from the browser.

$hashed = hash('sha256', $code_verifier, true);
$code_challenge = rtrim(strtr(base64_encode($hashed), '+/', '-_'), '=');
 $url = $asana_client->dispatcher->oauthClient->getAuthenticationUrl(
                OAuthDispatcher::$AUTHORIZATION_ENDPOINT,
                $asana_client_redirect_url,
                array(
                    'state' => $state,
                    'code_challenge' => $code_challenge,
                    'code_challenge_method' => 'S256'
                )
            );
$result = $asana_client->dispatcher->oauthClient->getAccessToken(
                    OAuthDispatcher::$TOKEN_ENDPOINT,
                    'authorization_code',
                    array(
                        'code' => $_GET['code'],
                        'redirect_uri' => $asana_client_redirect_url,
                        'code_verifier' => $current_verifier
                    )
                );

But I get back a 400 error "invalid grant" with the description "The PKCE code_verifier does not match the stored code challenge."

Weirdly enough if I don't send the code verifier to the token exchange point it works. Is it supposed to be like that? Seems weird to me but also like a pretty big bug if it isn't supposed to be like that.

Am I doing something wrong? All the googling I did and my own double checking makes it seem like this is what I'm supposed to do....any help would be appreciated.


Solution

  • For anyone who might find this question and find this helpful....Seems CBroe was on the right track. I was saving the code verifier to send to the token exchange in the wrong place. so it wasn't sending the right one. got it working now