Third-party login: Invalid code verifier in PKCE flow

[david-uhlig]

Description:

This is a follow-up to #35419 which was only partly fixed in #37707. When using the implicit code flow, the fix introduced in 8.0.0 works. However, the PKCE flow remains dysfunctional even with the fix. It cannot exchange the authorization code for tokens at the token endpoint. The error code is invalid_grant with the message Invalid grant: code verifier is invalid .

Steps to reproduce:

1. Create a third-party login application in the Rocket Chat admin panel (https://example.com/admin/third-party-login).
2. Enter Redirect URI: https://oauthdebugger.com/debug.
3. Activate and note down Client ID, Authorization URL and Access Token URL.
4. Head over to https://oauthdebugger.com/debug
5. Enter Authorize URI, Client ID, Scope (openid),
6. Select Response type: [x] code, [x] Use PKCE?, [x] SHA-256.
7. Enter Token URI
8. Select Response mode: [x] query
9. Send request
10. Authorize at Rocket Chat
11. Response page shows the failure, see screenshot below.

Expected behavior:

Should be able to exchange authorization code for tokens at the token endpoint when using a PKCE code challenge. PKCE is crucial for securing OAuth 2.0, especially in modern implementations. It prevents authorization code interception attacks that target public clients like mobile apps and SPAs.

Actual behavior:

Server Setup Information:

• Version of Rocket.Chat Server: 8.1.1
• License Type:
• Number of Users:
• Operating System: Ubuntu 24.04.
• Deployment Method: docker
• Number of Running Instances:
• DB Replicaset Oplog:
• NodeJS Version:
• MongoDB Version:

[subhaushsingh]

Root Cause Analysis & Proposed Fix

After investigating the codebase, I found the source of the bug in
apps/meteor/server/oauth2-server/model.ts.

Root Cause

During the PKCE authorization flow, the client sends code_challenge and code_challenge_method in the authorization request.

• The saveAuthorizationCode method receives these fields from the library.
• However, its TypeScript signature uses Pick<AuthorizationCode, ...>, which does not include codeChallenge or codeChallengeMethod.
• As a result, these fields are silently dropped and never stored in MongoDB.

Later, when the client exchanges the authorization code for a token:

• The getAuthorizationCode method retrieves the stored record from MongoDB.
• Since codeChallenge was never saved, the @node-oauth/oauth2-server library cannot verify the code_verifier.
• This results in the error:
  invalid_grant: code verifier is invalid.

Proposed Fix

The fix requires changes in three places:

1. packages/core-typings/src/IOAuthAuthCode.ts

   • Add:

   codeChallenge?: string;
   codeChallengeMethod?: string;

   so the MongoDB document type supports these PKCE fields.

2. apps/meteor/server/oauth2-server/model.ts (saveAuthorizationCode)

   • Extend the Pick<> type to include:

   codeChallenge
   codeChallengeMethod

   • Persist these values in the MongoDB $set block.

3. apps/meteor/server/oauth2-server/model.ts (getAuthorizationCode)

   • Return codeChallenge and codeChallengeMethod from the stored record so the library can perform the PKCE verification.

Impact

The implicit OAuth flow (without PKCE) remains unaffected.

Next Step

I can open a PR implementing this fix and include an end-to-end test covering the full PKCE flow to ensure the verification works correctly.