I am trying to connect to the Asana API using OAuth. I have everything else running ok, but when I try PKCE it doesn't work.
I first generate a code verifier. After some googling this is the code I have.
$code_verifier = rtrim(strtr(base64_encode(random_bytes(64)), '+/', '-_'), '=');
I send this to the token exchange. Then I hash this and base64url encode it and pass that on to the authorization request from the browser.
$hashed = hash('sha256', $code_verifier, true);
$code_challenge = rtrim(strtr(base64_encode($hashed), '+/', '-_'), '=');
$url = $asana_client->dispatcher->oauthClient->getAuthenticationUrl(
OAuthDispatcher::$AUTHORIZATION_ENDPOINT,
$asana_client_redirect_url,
array(
'state' => $state,
'code_challenge' => $code_challenge,
'code_challenge_method' => 'S256'
)
);
$result = $asana_client->dispatcher->oauthClient->getAccessToken(
OAuthDispatcher::$TOKEN_ENDPOINT,
'authorization_code',
array(
'code' => $_GET['code'],
'redirect_uri' => $asana_client_redirect_url,
'code_verifier' => $current_verifier
)
);
But I get back a 400 error "invalid grant" with the description "The PKCE code_verifier
does not match the stored code challenge."
Weirdly enough if I don't send the code verifier to the token exchange point it works. Is it supposed to be like that? Seems weird to me but also like a pretty big bug if it isn't supposed to be like that.
Am I doing something wrong? All the googling I did and my own double checking makes it seem like this is what I'm supposed to do....any help would be appreciated.
For anyone who might find this question and find this helpful....Seems CBroe was on the right track. I was saving the code verifier to send to the token exchange in the wrong place. so it wasn't sending the right one. got it working now