pilcrowonpaper/arctic

Google and Microsoft providers do not work with verifier passed

ComfortablyCoding opened this issue · 3 comments

ComfortablyCoding commented

Hello and thanks for this package!

I am not sure if it is a setup issue but the Google and MicrosoftEntraId providers both error out if a verifier is passed. If the verifier is removed (i.e. passed as undefined) they work with no issue. I have confirmed the verification code is the same between the URL and the validate methods.

Both of them have it as a required parameter for the createAuthorizationURL and validateAuthorizationCode methods.

Any suggestions as to why this is are appreciated!

Sample code

// generate code verification
const verifier = generateCodeVerifier();

// ..

// generate url
const url = await google.createAuthorizationURL(payload.state, payload.verified, {
    scopes: ['profile', 'email'],
});

// ..

// validate auth code, errors here
const { accessToken } = await google.validateAuthorizationCode(payload.code, payload.verifier);

Example error response from Google if verifier is passed

OAuth2RequestError: invalid_grant
    at OAuth2Client.sendTokenRequest ([REDACTED]/node_modules/.pnpm/oslo@1.2.0/node_modules/oslo/dist/oauth2/index.js:99:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async OAuth2Client.validateAuthorizationCode ([REDACTED]/node_modules/.pnpm/oslo@1.2.0/node_modules/oslo/dist/oauth2/index.js:59:16)
    at async Google.validateAuthorizationCode ([REDACTED]/node_modules/.pnpm/arctic@1.8.1/node_modules/arctic/dist/providers/google.js:23:24)
    at [REDACTED]
    at [REDACTED] {
  request: Request {
    method: 'POST',
    url: 'https://oauth2.googleapis.com/token',
    headers: Headers {
      accept: 'application/json',
      'content-type': 'application/x-www-form-urlencoded',
      'user-agent': 'oslo'
    },
    destination: '',
    referrer: 'about:client',
    referrerPolicy: '',
    mode: 'cors',
    credentials: 'same-origin',
    cache: 'default',
    redirect: 'follow',
    integrity: '',
    keepalive: false,
    isReloadNavigation: false,
    isHistoryNavigation: false,
    signal: AbortSignal { aborted: false }
  },
  description: 'code_verifier or verifier is not needed.'
}
pilcrowonpaper commented

What's payload.verified and payload.verifier?

ComfortablyCoding commented

They are verifier value just in different places of the code

ComfortablyCoding commented

Strangely enough it is now working for me. Closing for now, will re-open if I can reproduce it again with a minimal example.