Quick question about implementing the Authorization Code flow with PKCE for a single-page application hosted within a CXone Studio context. I am trying to exchange the authorization code for an access token using a GetRESTProxy snippet, but I keep hitting a wall with a 400 Bad Request on the /oauth/token endpoint. The documentation explicitly states that “the code_verifier must match the code_challenge used in the authorization request,” and I am generating the SHA-256 hash in JavaScript before passing it to the snippet, yet the exchange fails. My snippet looks like this:
ASSIGN token_url = "https://api.mynice.com/oauth/token"
ASSIGN payload = '{"grant_type": "authorization_code", "code": "' + auth_code + '", "redirect_uri": "https://myapp.com/callback", "client_id": "' + client_id + '", "code_verifier": "' + code_verifier + '"}'
CALL GetRESTProxy(token_url, "POST", payload, response)
I have verified the code_verifier matches the base64url-encoded SHA-256 hash of the code_challenge. Here is what I have tried:
- Confirmed the
redirect_uriparameter matches the registered URI in the OAuth application settings exactly, including the trailing slash. - Checked the expiration of the authorization code to ensure it has not been used or expired before the exchange request was sent.
Why is the token endpoint rejecting the request despite the parameters appearing correct?