Trouble handling callback from SSO always returns 400
I'm a bit stuck in this section https://kinde.com/docs/developer-tools/using-kinde-without-an-sdk/#handling-the-callback in the documentation.
When I send the POST request to
oauth2/token
from Postman, I get a 400
status code everytime. I am also using PKCE verification.
I use this https://tonyxu-io.github.io/pkce-generator/ to generate the code challenge and my code verifier is code_verifier
.
This is my URL for creating the SSO login for our users: https://novade.kinde.com/oauth2/auth?response_type=code&client_id=279d4ec6490d402b817c4d7aec122373&redirect_uri=https://lite-staging.novade.net/login-sso&scope=openid+profile+email&state=abcdeftgh&code_challenge_method=S256&code_challenge=73oehA2tBul5grZPhXUGQwNAjxh69zNES8bu2bVD0EM
This is the URL, I try to send a POST request to and get 400
: https://novade.kinde.com/oauth2/token?grant_type=authorization_code&client_id=279d4ec6490d402b817c4d7aec122373&redirect_uri=https://lite-staging.novade.net/login-sso&code=XKRMtXK-SM4SorkGIZ2pJqycIXmY_EJfuEjk18yXBgU.jvdQuoUBYfJVk7Bm2JfW3S2KRu408iIlWzD2DrCBLLE&code_verifier=code_verifier
Am I doing something wrong with PKCE verification? Or any suggestion?Kinde Docs
Using Kinde without an SDK - Developer tools - Help center
Our developer tools provide everything you need to get started with Kinde.
7 Replies
Sorry to see that you hit a snag with getting Kinde working. I will get a more experienced team member to help with this, but this is my inital thoughts on what might be happen.
One thing that stands out is that you're sending the parameters in the URL of your POST request. For the token request, these parameters should be sent in the body of the request, not the URL.
Here's an example of how your request should look like:
POST /oauth2/token HTTP/1.1
Host: novade.kinde.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
client_id=279d4ec6490d402b817c4d7aec122373&
redirect_uri=https://lite-staging.novade.net/login-sso&
code=XKRMtXK-SM4SorkGIZ2pJqycIXmY_EJfuEjk18yXBgU.jvdQuoUBYfJVk7Bm2JfW3S2KRu408iIlWzD2DrCBLLE&
code_verifier=code_verifier
Ah, I see. In your doc it rather seemed like a single URL
Let me try this quick
This is the cURL request for the same as you suggested
Now it says me:
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Request parameter 'grant_type' is missing"}
But I am sending the grant_type
Can I also know if I send an invalid code_verifier
value, will it still throw me 400
status code?
My bad, I didn't send it as a form. Not I am getting some meaningful errors
π
@Andre @ Kinde Thanks, now it worksGreat to hear that its working now @Eranga !
1. No other errors?
2. What would you of improved in our docs?
@Andre @ Kinde Sorry for the late reply. I had other errors but they were actually issues on my end since this was my first time trying out SSO.
To be honest, I was in a hurry to implement SSO using Kinde because I did it for a hackathon in my company. So I had like 1 day for doing everything.
I guess you guys are doing a great job in terms of making SSO pretty smooth for developers like us
So to answer your 2nd question, I believe I was a bit mislead by https://kinde.com/docs/developer-tools/using-kinde-without-an-sdk/#handling-the-callback request description. Maybe it is me, but I felt like I should have made a POST request with every parameter set as query parameters.
Kinde Docs
Using Kinde without an SDK - Developer tools - Help center
Our developer tools provide everything you need to get started with Kinde.
I would recommend adding proper API request documentation there so there is no ambiguity there
Not related to your docs, but as a feature request I believe it will be very nice if we can integrate the SSO in our own UI without redirecting to your UI (I know you guys have already thought about it and working on it). This was discussed in our hackathon and came as a feedback for me. The main reason was that we don't have control over what we can show in that UI.
Another thing that was discussed is the recent incident with Okta (another player in Auth0 - you probably know them π ) where it got hacked and customer information was leaked. So, our company is very cautious about using 3rd party providers when it comes to user data. This is something I believe every company guarantees to its customers but there is going to be unfortunate events like that happening everyday. I think you have this on your website but almost at the end of your site. Since you are all about authentication and authorisation which is about securing stuff, you might want to rank the security of the system a bit higher.
Again, I am very happy with the support you provided throught my development. Good luck π€
Oh, and one other thing. I noticed that if I add "Microsoft AD" as an Enterprise Identity provider and if I am already logged in, I don't get a chance to select which account I need to log in from. I could have more than one Microsoft accounts. This could also be me being a novice to this IAM domain. So if this is already handled, just forget about this.
A big thanks for all the feedback @Eranga , please keep it coming as we are always looking at ways to improve the product and docs.