I'm trying to implement native clients (.NET Console applications as a mockup at first) to authenticate using OpenID Connect against IdentityServer4 as my STS. I use IdentityModel.OidcClient2 as my client library.
I chose to implement the code based authentication flow.
I am able to pass through the authentication stage but when I get to the authorization stage I get an error message at the client saying
invalid_grant
At the IdentityServer the error message is
"Unexpected code_verifier: XXXXXXXXXXX...."
Even though when I open fiddler and look at the requests and the debug info - the code verifier sent to the IdentityServer for the authorization seems as the client generated at first in the AuthorizationState class.
If I execute with AuthorizationState.CodeVerifier = null then it works.
But I do want to implement the PKCE for extra security. How can I achieve that?
Here is the configuration of that specific client
Identity Server :
new Client
{
ClientId = "nativeapp1",
ClientName = "Native App Demo - 1",
AllowedGrantTypes = GrantTypes.Hybrid,
RequireConsent = true,
ClientSecrets =
{
new Secret("some-secret1".Sha256())
},
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.OfflineAccess,
"custom.name",
"api1"
},
RedirectUris = {"http://127.0.0.1:7890/"},
//PostLogoutRedirectUris = {"" }
AllowOfflineAccess = true
}
And the client configuration
var options = new OidcClientOptions
{
Authority = _authority,
ClientId = "nativeapp1",
RedirectUri = redirectUri,
Scope = "openid profile api1 custom.name offline_access",
FilterClaims = true,
LoadProfile = false,
Flow = OidcClientOptions.AuthenticationFlow.Hybrid,
ClientSecret = "some-secret1"
};
You need to set RequirePkce to true on you client configuration in IdentityServer.