Unable to generate authorization code via PKCE flow for SPA

Question

I created a SPA application in Azure AD and trying to generate access token via PKCE flow from postman.

I am following this msdoc : Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra | Microsoft Docs

To generate code, I am using below authorize endpoint as mentioned in above document like

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=myclientid
&response_type=code
&redirect_uri=myredirecturi
&response_mode=query
&scope=https://graph.microsoft.com/.default
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256

But I am getting error like below:

AADSTS501491: Invalid size of Code_Challenge parameter.

What is the valid value for code_challenge parameter and how to generate it?

Answer 1

This error "Invalid size of Code_Challenge parameter." usually occurs if the code_challenge is invalid. Make sure to generate a valid code_ challenge.

To generate code_challenge, you can make use of this tool like below:

I tried in my environment and got the code value successfully including the above the code challenge value:

Make sure to include origin header like below:

After including all the required parameters, I was able to generate access token successfully via PKCE flow from Postman like below:

Answer 2

Just strip your hash to 43 characters. Then your fine. For example:

$this->code_challenge = hash("sha256", random_bytes("96"));
$code_challenge = substr($this->code_challenge, 0, 43)

Answer 3

You seem to be using S256 (SHA256) as the code challenge method (hashing algorithm to hash code verifier). So ensure that the length of the base 64 encoded code_challenge value is 43 characters. If there is a trailing '=', strip this off (this is the padding) before setting the code_challenge query string parameter value.