I am looking for specific status information for RFC7636 (validation key for OAuth token exchanges) in the Google OAuth2 API.
Google provides OAuth 2.0 and OIDC API Providers where you can get access tokens. There is a standard standard described in RFC7636 for the use of security keys in tokens, which we began to use in our integration with major identifier providers. Some accept the key of evidence; others ignore it; Google seems to be aware of this, but does not verify the confirmation key. I could not find a mention of this Google.
In specific terms, when we run the OAuth 2.0 authorization code with Google as the provider, we generate a random number, the hash uses it SHA256, the base64 URL encodes it, and then passes it https://accounts.google.com/o/oauth2/ v2 / auth as the parameter "code_challenge" and "code_challenge_method" according to the specification.
The endpoint accepts the parameters and issues an authorization token, as usual. Upon receipt of the access token, we call https://www.googleapis.com/oauth2/v4/token using code_verifier; the endpoint returns the following HTTP 400 error, which assumes that there is some awareness of code verification: {"error": "invalid_grant", "error_description": "Missing code verifier". }
The Google OAuth documentation at developers.google.com/identity/protocols/OAuth2 does not mention any of these parameters; The API playground does not apply to games with OAuth2 authentication and authentication endpoints. Any insight would be appreciated.
source share