search

pilcrowonpaper / arctic

OAuth 2.0 clients for popular providers
MIT License
1.11k stars 65 forks source link

Google and Microsoft providers do not work with verifier passed #128

Closed ComfortablyCoding closed 6 months ago

ComfortablyCoding commented 6 months ago

Hello and thanks for this package!

I am not sure if it is a setup issue but the Google and MicrosoftEntraId providers both error out if a verifier is passed. If the verifier is removed (i.e. passed as undefined) they work with no issue. I have confirmed the verification code is the same between the URL and the validate methods.

Both of them have it as a required parameter for the createAuthorizationURL and validateAuthorizationCode methods.

Any suggestions as to why this is are appreciated!

Sample code

// generate code verification
const verifier = generateCodeVerifier();

// ..

// generate url
const url = await google.createAuthorizationURL(payload.state, payload.verified, {
    scopes: ['profile', 'email'],
});

// ..

// validate auth code, errors here
const { accessToken } = await google.validateAuthorizationCode(payload.code, payload.verifier);

Example error response from Google if verifier is passed

OAuth2RequestError: invalid_grant
    at OAuth2Client.sendTokenRequest ([REDACTED]/node_modules/.pnpm/oslo@1.2.0/node_modules/oslo/dist/oauth2/index.js:99:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async OAuth2Client.validateAuthorizationCode ([REDACTED]/node_modules/.pnpm/oslo@1.2.0/node_modules/oslo/dist/oauth2/index.js:59:16)
    at async Google.validateAuthorizationCode ([REDACTED]/node_modules/.pnpm/arctic@1.8.1/node_modules/arctic/dist/providers/google.js:23:24)
    at [REDACTED]
    at [REDACTED] {
  request: Request {
    method: 'POST',
    url: 'https://oauth2.googleapis.com/token',
    headers: Headers {
      accept: 'application/json',
      'content-type': 'application/x-www-form-urlencoded',
      'user-agent': 'oslo'
    },
    destination: '',
    referrer: 'about:client',
    referrerPolicy: '',
    mode: 'cors',
    credentials: 'same-origin',
    cache: 'default',
    redirect: 'follow',
    integrity: '',
    keepalive: false,
    isReloadNavigation: false,
    isHistoryNavigation: false,
    signal: AbortSignal { aborted: false }
  },
  description: 'code_verifier or verifier is not needed.'
}
pilcrowonpaper commented 6 months ago

What's payload.verified and payload.verifier?

ComfortablyCoding commented 6 months ago

They are verifier value just in different places of the code

ComfortablyCoding commented 6 months ago

Strangely enough it is now working for me. Closing for now, will re-open if I can reproduce it again with a minimal example.