I m going through the help center documentation attempting t NetSuite Professionals #ask-stanley-ai

I’m going through the help center documentation at...

toltmanns

03/26/2025, 10:47 PM

I’m going through the help center documentation attempting to setup an oauth 2.0 authorization grant flow. Step 1 is successful, I get a code in the url after allowing the application access to the account. However step 2 fails with invalid_grant when I use the code in a post to the token endpoint with grant_type authorization_code. The redirect uri is consistent with the authorization request. However documentation mentions a code_verifier parameter in step two and I’m not sure how to get that. Docs say it should match value from step one, but step one doesn’t have code_verifier, rather it has a code_challenge and a code_challenge_method

Celigo AI

03/26/2025, 10:47 PM

AI generated answer (using internal Slack threads):

The issue you're facing is related to the PKCE (Proof Key for Code Exchange) extension of OAuth 2.0. In the first step of the OAuth 2.0 authorization code grant flow, you generate a

code_verifier

and a

code_challenge

. The

code_challenge

is a hashed version of the

code_verifier

and is sent in the authorization request. In the second step, when you exchange the authorization code for an access token, you need to include the original

code_verifier

in your request. The server will then generate a

code_challenge

from the

code_verifier

you sent and compare it to the original

code_challenge

from step one. If they match, the server knows that the client making the token request is the same as the client that initiated the authorization request. Here's a simplified example of how you might generate the

code_verifier

and `code_challenge`:

Copy code

javascript
// Step 1: Generate code_verifier
var code_verifier = generateRandomString(128);

// Step 2: Generate code_challenge
var code_challenge = base64UrlEncode(sha256(code_verifier));

In this example,

generateRandomString

is a function that generates a random string of the specified length,

base64UrlEncode

is a function that encodes a string in Base64 and replaces certain characters to make it URL-safe, and

sha256

is a function that hashes a string using the SHA-256 algorithm. In the second step of the OAuth 2.0 flow, you would include the

code_verifier

in your request to the token endpoint:

Copy code

javascript
var tokenRequestData = {
  grant_type: 'authorization_code',
  code: authorizationCode,
  redirect_uri: redirectUri,
  client_id: clientId,
  code_verifier: code_verifier  // Include the original code_verifier
};

Please replace the function names and variables with the actual ones used in your code. ****** Disclaimer: This response was generated by an artificial intelligence assistant based on previous conversations from multiple Slack channels, and may contain inaccuracies or mistakes. ******

Celigo AI

03/26/2025, 10:47 PM

Slack thread 1: here (available only if the original thread was posted in the last 90 days)

Similarity score: 0.828041196

Slack thread 2: here (available only if the original thread was posted in the last 90 days)

Similarity score: 0.826250613

Slack thread 3: here (available only if the original thread was posted in the last 90 days)

Similarity score: 0.825342119

Celigo AI

03/26/2025, 10:47 PM

Please provide your feedback on this answer.

toltmanns

03/26/2025, 10:58 PM

That’s helpful in understanding the relationship between code_verifier and code_challenge but I am still getting an invalid_grant - what else could be the issue

4 Views

Open in Slack

Previous Next