Facebook oauth_code_verification_failed due to missing code_challenge #81

New Issue

GiteaMirror · 2026-03-13T07:32:17-05:00

GiteaMirror commented

2026-03-13 07:32:17 -05:00

Originally created by @PawelPotempa on GitHub (Oct 15, 2024).

Describe the bug:

When using the library to authenticate via Facebook OAuth with PKCE, the token exchange step fails with the error: oauth_code_verification_failed. The error message indicates that the code_verifier is provided without a corresponding code_challenge in the authorization request, causing the OAuth process to fail.

To Reproduce:

Set up Facebook OAuth in the project.
Initiate the OAuth flow by redirecting to the Facebook login page.
After the user logs in and the authorization code is returned, the library attempts to exchange the code for access tokens.
The process fails with the error: oauth_code_verification_failed.

Expected behavior:

It should successfully handle the PKCE flow, ensuring that both the code_verifier and code_challenge are correctly sent and validated. The access token should be retrieved after the authorization code is exchanged.

Additional context:

Error message received during the token exchange:

{ 
  error: { 
    message: 'code_verifier param is provided without a code_challenge in authorization request.',
    type: 'OAuthException',
    code: 1,
    fbtrace_id: 'AiVg2G-HnpatNZDjjXMWGXo'
  },
  status: 400,
  statusText: 'Bad Request'
}

Originally created by @PawelPotempa on GitHub (Oct 15, 2024). **Describe the bug:** When using the library to authenticate via Facebook OAuth with PKCE, the token exchange step fails with the error: oauth_code_verification_failed. The error message indicates that the code_verifier is provided without a corresponding code_challenge in the authorization request, causing the OAuth process to fail. **To Reproduce:** - Set up Facebook OAuth in the project. - Initiate the OAuth flow by redirecting to the Facebook login page. - After the user logs in and the authorization code is returned, the library attempts to exchange the code for access tokens. - The process fails with the error: oauth_code_verification_failed. **Expected behavior:** It should successfully handle the PKCE flow, ensuring that both the code_verifier and code_challenge are correctly sent and validated. The access token should be retrieved after the authorization code is exchanged. **Additional context:** Error message received during the token exchange: ``` { error: { message: 'code_verifier param is provided without a code_challenge in authorization request.', type: 'OAuthException', code: 1, fbtrace_id: 'AiVg2G-HnpatNZDjjXMWGXo' }, status: 400, statusText: 'Bad Request' } ```

GiteaMirror closed this issue

2026-03-13 07:32:17 -05:00

GiteaMirror commented

2026-03-13 07:32:18 -05:00

@Bekacru commented on GitHub (Oct 16, 2024):

hey can you please check if this is resolved on the beta release better-auth@beta

@Bekacru commented on GitHub (Oct 16, 2024): hey can you please check if this is resolved on the beta release `better-auth@beta`

GiteaMirror commented

2026-03-13 07:32:18 -05:00

@PawelPotempa commented on GitHub (Oct 16, 2024):

I've checked and it works - however, the account created comes with emailVerified: false, which I believe is intended (as far as I remember facebook isn't considered a trusted provider). That brings up a question though - what's the correct flow here to send the verification email? Can we intercept the oauth authorization success to send a verification email to the user?

@PawelPotempa commented on GitHub (Oct 16, 2024): I've checked and it works - however, the account created comes with `emailVerified: false`, which I believe is intended (as far as I remember facebook isn't considered a trusted provider). That brings up a question though - what's the correct flow here to send the verification email? Can we intercept the oauth authorization success to send a verification email to the user?

GiteaMirror commented

2026-03-13 07:32:19 -05:00

@Bekacru commented on GitHub (Oct 16, 2024):

good question. we already support sending email verification on signup for email & password. we should support for oauth signups too. Feel free to open another issue. For now you can send using database hooks

https://www.better-auth.com/docs/concepts/database#database-hooks

before or after the user creation check if the email isn't verified and send email verification

@Bekacru commented on GitHub (Oct 16, 2024): good question. we already support sending email verification on signup for email & password. we should support for oauth signups too. Feel free to open another issue. For now you can send using database hooks https://www.better-auth.com/docs/concepts/database#database-hooks before or after the user creation check if the email isn't verified and send email verification

GiteaMirror commented

2026-03-13 07:32:20 -05:00

@PawelPotempa commented on GitHub (Oct 16, 2024):

Before I open another issue - it seems the problem is either a bit more complex, or my implementation makes no sense. Here's a quick and unpolished code:

databaseHooks: {
        account: {
            create: {
                after: async (account) => {
                    if (account.providerId !== "credential") {
                        const user = await db.query.user.findFirst({
                            where: (user, { eq }) => eq(user.id, account.userId)
                        });

                        if (!user?.emailVerified && user) {
                            await auth.api.sendVerificationEmail({
                                body: {
                                    email: user.email,
                                },
                            });
                        }
                    }
                }
            },
        }
    },

The email with verification is being sent just fine, but the /verify-email api route doesn't work properly. The url looks fine:
http://localhost:3000/api/auth/verify-email?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InB3cG90ZW1wYUBnbWFpbC5jb20iLCJhdWQiOlsicHdwb3RlbXBhQGdtYWlsLmNvbSJdLCJzdWIiOiJ2ZXJpZnktZW1haWwiLCJpc3MiOiJiZXR0ZXItYXV0aCIsImV4cCI6MTcyOTExMDI3NSwiaWF0IjoxNzI5MTA2Njc1fQ.Vp4HZFRdLWMavZ8nZHLsuQRnuG1u6HRvJ-ILBkQ0H-I&callbackURL=http://localhost:3000/user-panel#_=_

The response I get is:
{"message":"Account not found"}.

I'm currently on: 0.4.10-beta.9

Tried on the newest 0.4.11 too, but an entirely different issue happens there (despite the #189 being merged to it) - can't register with Facebook yet again.

{ error: Better Auth
   { message:
      'code_verifier param is provided without a code_challenge in\n authorization request.',
      type: 'OAuthException',
      code: 1,
      fbtrace_id: 'AHjYbTBx2iKGufQL2GHupk3' },
  status: 400,
  statusText: 'Bad Request' }

@PawelPotempa commented on GitHub (Oct 16, 2024): Before I open another issue - it seems the problem is either a bit more complex, or my implementation makes no sense. Here's a quick and unpolished code: ``` databaseHooks: { account: { create: { after: async (account) => { if (account.providerId !== "credential") { const user = await db.query.user.findFirst({ where: (user, { eq }) => eq(user.id, account.userId) }); if (!user?.emailVerified && user) { await auth.api.sendVerificationEmail({ body: { email: user.email, }, }); } } } }, } }, ``` The email with verification is being sent just fine, but the /verify-email api route doesn't work properly. The url looks fine: `http://localhost:3000/api/auth/verify-email?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InB3cG90ZW1wYUBnbWFpbC5jb20iLCJhdWQiOlsicHdwb3RlbXBhQGdtYWlsLmNvbSJdLCJzdWIiOiJ2ZXJpZnktZW1haWwiLCJpc3MiOiJiZXR0ZXItYXV0aCIsImV4cCI6MTcyOTExMDI3NSwiaWF0IjoxNzI5MTA2Njc1fQ.Vp4HZFRdLWMavZ8nZHLsuQRnuG1u6HRvJ-ILBkQ0H-I&callbackURL=http://localhost:3000/user-panel#_=_` The response I get is: `{"message":"Account not found"}`. I'm currently on: `0.4.10-beta.9` Tried on the newest `0.4.11` too, but an entirely different issue happens there (despite the #189 being merged to it) - can't register with Facebook yet again. ``` { error: Better Auth { message: 'code_verifier param is provided without a code_challenge in\n authorization request.', type: 'OAuthException', code: 1, fbtrace_id: 'AHjYbTBx2iKGufQL2GHupk3' }, status: 400, statusText: 'Bad Request' } ```

GiteaMirror commented

2026-03-13 07:32:20 -05:00

@Bekacru commented on GitHub (Oct 16, 2024):

regarding facebook it should be fixed. please confirm me. try 0.4.12-beta.1

@Bekacru commented on GitHub (Oct 16, 2024): regarding facebook it should be fixed. please confirm me. try `0.4.12-beta.1`

GiteaMirror commented

2026-03-13 07:32:21 -05:00

@PawelPotempa commented on GitHub (Oct 16, 2024):

Yep, can confirm - facebook works fine again in 0.4.12-beta.1. The email verification error persists.

@PawelPotempa commented on GitHub (Oct 16, 2024): Yep, can confirm - facebook works fine again in `0.4.12-beta.1`. The email verification error persists.

GiteaMirror commented

2026-03-13 07:32:21 -05:00

@Bekacru commented on GitHub (Oct 16, 2024):

Yep, can confirm - facebook works fine again in 0.4.12-beta.1. The email verification error persists.

For the email verification issue, try0.4.12-beta.2 And unless you specfically don't want to send verification on credential you should send on user.create instead.

@Bekacru commented on GitHub (Oct 16, 2024): > Yep, can confirm - facebook works fine again in `0.4.12-beta.1`. The email verification error persists. For the email verification issue, try`0.4.12-beta.2` And unless you specfically don't want to send verification on credential you should send on `user.create` instead.

GiteaMirror commented

2026-03-13 07:32:22 -05:00

@PawelPotempa commented on GitHub (Oct 16, 2024):

Also can confirm, works perfectly fine now. Thanks!

You're absolutely right, I just kept using sendEmailVerificationOnSignUp: true so it did send the verification email for credentials anyway, but I guess it makes perfect sense to disable it and use just the hook instead.

Just a quick heads up - though that should most likely be another issue as well - if we have credentials account and wanna link a facebook account with the same email to it - it doesn't work. Linking Google account worked just fine. No visible errors anywhere, so nothing to share here.

@PawelPotempa commented on GitHub (Oct 16, 2024): Also can confirm, works perfectly fine now. Thanks! You're absolutely right, I just kept using `sendEmailVerificationOnSignUp: true` so it did send the verification email for credentials anyway, but I guess it makes perfect sense to disable it and use just the hook instead. Just a quick heads up - though that should most likely be another issue as well - if we have credentials account and wanna link a facebook account with the same email to it - it doesn't work. Linking Google account worked just fine. No visible errors anywhere, so nothing to share here.

GiteaMirror commented

2026-03-13 07:32:22 -05:00

@Bekacru commented on GitHub (Oct 17, 2024):

if emailVerified isn't returned or if it's false, the account won't be linked. On google case it's always assumed verified.

@Bekacru commented on GitHub (Oct 17, 2024): if emailVerified isn't returned or if it's false, the account won't be linked. On google case it's always assumed verified.

GiteaMirror referenced this issue

2026-03-13 10:39:36 -05:00

[PR #81] [MERGED] fix: move import to be dynamic #3089

GiteaMirror referenced this issue

2026-04-13 07:42:10 -05:00

[PR #81] [MERGED] fix: move import to be dynamic #11336

GiteaMirror referenced this issue

2026-04-15 19:23:26 -05:00

[PR #81] [MERGED] fix: move import to be dynamic #19990

GiteaMirror referenced this issue

2026-04-17 20:10:09 -05:00

[PR #81] [MERGED] fix: move import to be dynamic #28690

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#81