Snapchat OAuth: invalid code_verifier

Question

I'm running a vanilla OAuth flow with PKCE to get a user access token from Snapchat. The initial request is straightforward. I generate a PKCE pair in my Python backend using:

pkce_code_verifier = secrets.token_urlsafe(96)
hashed = hashlib.sha256(pkce_code_verifier.encode("ascii")).digest()
pkce_code_challenge = base64.urlsafe_b64encode(hashed).decode("ascii")[:-1]
return pkce_code_challenge, pkce_code_verifier

I pass the code challenge into my first request which successfully returns a code.

However, no matter how I structure the follow-on request to exchange the code for an access token, I receive:

{
  "error": "invalid_grant",
  "error_description": "Invalid code_verifier.",
  "state": ""
}

Here's an example CURL:

curl -X POST https://accounts.snapchat.com/accounts/oauth2/token
--header 'Authorization: Basic [redacted]'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=authorization_code'
--data-urlencode 'code=XCd9mUHo9s4osXBvEnmERloR2DjUxR_AA4el_azXnhg'
--data-urlencode 'code_verifier=kJ31ekNSvahWwczcea-q9rFI8Grl9-jDOTuXPTDIxfhuf1IEWdRbJAKf4vTeA8vxhzUHBBM9QDcn3NmEqqAlrpz8_PNP573sljIKQIur-lV-BjuWtSHMZb7zby5WpRw6'
--data-urlencode 'redirect_uri=[redacted]'

Has anyone gotten this to work? I've verified my code challenge and code verifier using a few of the online PKCE tools; they seem valid.

Answer 1

Turns out, it was an issue in expo-auth-session. I've documented it here: https://forums.expo.dev/t/expo-authsession-pkce-always-leads-to-invalid-code-verifier/63750.