Invalid Code Verifier Error on Token Exchange

[Clarry100]

Hello all,

First-time Etsy API coder and Python user here... so go easy on me! 😊

I’m encountering an issue where Etsy returns an error stating that my code_verifier is invalid when attempting to exchange an authorization code for an access token.
Consequently, no access token is granted.

Context:
I’ve implemented the PKCE flow as per the RFC7636 specification and have included my relevant Python functions below.
The process involves generating a code_verifier, creating a corresponding code_challenge,
and verifying that the generated code_challenge matches the one recalculated from the original code_verifier before the request is sent.

I’ve manually tested and confirmed that the code_verifier and code_challenge values are consistent from generation through to their use in the OAuth flow.

Despite these checks, the Etsy server still returns the following error when attempting the access token exchange:
{"error":"invalid_grant","error_description":"code_verifier is invalid"}

This suggests that the Etsy server method of validating the code_verifier against the code_challenge is somehow not aligning with my own python implementation.

Questions:
Has anyone else experienced this issue or noticed discrepancies between their implementation of the PKCE spec and Etsy’s server behavior?

Are there any specific requirements or edge cases in Etsy's PKCE implementation (e.g., length restrictions, character encoding nuances) that I might be overlooking?

Below are the Python functions I’m using.
Any insights into potential problems or areas where they might diverge from Etsy’s expectations would be greatly appreciated.

Additional Information:
Here’s a brief overview of my OAuth flow:

1. Generate code_verifier and code_challenge using the python functions shown below.
2. Include the code_challenge (and method=S256) in the initial authorization request (/oauth/connect).
3. After receiving the authorization code, attempt to exchange it for an access token by passing the original code_verifier in the /oauth/token request.

I’ve verified that the code_verifier being sent matches what was used to generate the code_challenge.
The calculated and provided code_challenge values also match when tested locally.

#########################################################

def generate_code_verifier():

#Generates a secure random code verifier string that complies with the PKCE spec (RFC7636#Appendix-B).
#Length: 43-128 characters (inclusive).
#Allowed Characters: A-Z, a-z, 0-9, '-', '.', '_', '~'.

# Generate random bytes and encode to Base64
verifier = base64.urlsafe_b64encode(os.urandom(64)).rstrip(b'=').decode('utf-8')    

# Ensure verifier is within the required length range
if len(verifier) < 43 or len(verifier) > 128:
    raise ValueError(f"[generate_code_verifier] Code verifier length out of bounds: {len(verifier)}")

return verifier

#########################################################

def generate_code_challenge(code_verifier):

#Generates a code challenge based on a code verifier.
code_challenge = hashlib.sha256(code_verifier.encode('utf-8')).digest()
return base64.urlsafe_b64encode(code_challenge).rstrip(b'=').decode('utf-8')

#########################################################

def verify_code_challenge(code_verifier, code_challenge):
# Recalculate the challenge from the verifier
calculated_challenge = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode('utf-8')).digest()
).rstrip(b'=').decode('utf-8')

# Print and compare
print(f"[verify_code_challenge] Calculated Challenge: {calculated_challenge}")
print(f"[verify_code_challenge] Provided   Challenge: {code_challenge}")

return calculated_challenge == code_challenge

#########################################################

[Clarry100]

It seems I have solved my own problem...

When initiating a fresh oauth flow Etsy pops up a browser tab asking the user to grant access before it issues the auth code data.
My API app was not waiting for the user to click this grant access button but requested the auth code before the button had been clicked.
This meant that some kinda old/random code data was extracted from browser cached data which mean following python code was using an old possibly expired auth code. This was causing the random errors I was experiencing. Mostly code verifier invalid.

So I have now added a small tkinter popup window with an "OK to proceed..." button where the ptython code waits up to x-seconds (I can vary this wat time as required) until the user clicks grant access and then the proceed buttons before moving on with fetching the auth code.

Now I am getting an access token returned without error every time.

Happy days!!! I can now move on.