question

Pedro Costa avatar image
Pedro Costa asked

Code challenge problem for Login With Amazon SDK

Hello, I'm having a issue with requesting the access token and refresh token from the https://api.amazon.com/auth/O2/token given that I successfully generated a auth code.

I followed the tutorial to login with amazon in an iOS: https://developer.amazon.com/docs/dash/lwa-mobile-sdk-ios.html

I created a code challenge and used S256 as the code challenge method.

My idea is to convert the auth code to a access/refresh token using my backend, once I trigger the API call https://api.amazon.com/auth/O2/token providing everything including the code challenge I'm getting the error "unauthorized_client", if I do the same thing using "plain" as the code challenge method I can successfully retrieve the access/refresh tokens, is there a reason for this? Can someone help me troubleshoot?

certificationlogin with amazonsdkiosdash replenishment service
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

Ken Napier avatar image
Ken Napier answered

I had the same issue trying to produce this with C code. I skipped S256 for a few days and just used plain.

When amazon takes your code verifier and performs the steps outlined in the RFC 7636 they don't end up with the same code challenge you provided in the login steps to get the auth code. This results in the unauthorized client error.

I found my issue by using the same code verifier listed in Appendix B of the RFC 7636. (https://tools.ietf.org/html/rfc7636) and just making sure I got the same results at each step. The code verifier example is 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'. They show you what the SHA256 version of this looks like as a char array. They also show you the base64 encoded (no padding, no + , no /).

This is the final code challenge 'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM'.

If you are not ending up with the same code challenge as they did look at the steps again.

My first SHA256 attempt was producing a hex string (human readable) instead of a char array. It was easy to spot when I compared it to the RFC array they had listed.

Once I got the correct hash and verified it all worked I then went back and made the code verifier random again.

10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Pedro Costa avatar image
Pedro Costa answered

That makes sense! Thank you for the explanation Ken Napier! I was now able to fix the issue

10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.