Stuck on the Authorization Code flow with PKCE for our new SPA. Generating the challenge and sending it to /oauth/authorize, but hitting a 400 Bad Request on the token endpoint with ‘invalid_grant’. The code_verifier matches the base64url-encoded sha256 hash, but the token request keeps failing. Here’s the token payload:
POST /oauth/token
{
"grant_type": "authorization_code",
"code": "AUTH_CODE_HERE",
"redirect_uri": "http://localhost:3000/callback",
"code_verifier": "PLAIN_TEXT_VERIFIER"
}
Checked the logs, the verifier is identical to what was used to generate the challenge. Missing something obvious?