Having some issues getting my configuration to work. I am implementing the Authorization Code flow with PKCE for a single-page application targeting the Genesys Cloud OAuth server. I generate the code_verifier using a cryptographically secure random string and derive the code_challenge via SHA-256 base64url encoding. The initial authorization request completes successfully, redirecting back to my callback URI with the authorization code.
However, when I exchange this code for an access token via the /oauth/token endpoint, I receive a 400 Bad Request response. The error message states invalid_grant with the detail code_verifier mismatch. I have verified that the code_verifier sent in the token request matches the original value used to generate the challenge exactly.
Here is the token request payload I am sending:
grant_type=authorization_code&code=[AUTH_CODE]&redirect_uri=[URI]&client_id=[ID]&code_verifier=[VERIFIER]
I have checked for whitespace issues and confirmed the base64url encoding does not include padding characters. I also ensured the code is not reused.
What could cause this mismatch? Is there a specific encoding requirement for the code_verifier parameter in the body that differs from standard OAuth 2.0 PKCE implementations? Any insights into debugging this specific error would be appreciated.