starred/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-04-25 16:55:59 +03:00
Code Issues 711 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #5358] [bug]: Authorization code flow not starting with PKCE #2048

New issue
Closed
opened 2026-03-16 22:58:43 +03:00 by kerem · 10 comments
kerem commented 2026-03-16 22:58:43 +03:00
Owner
Copy link

Originally created by @macmessa on GitHub (Aug 28, 2025).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/5358

Originally assigned to: @anwarulislam on GitHub.

Is there an existing issue for this?

  • I have searched existing issues and this bug hasn't been reported yet

Platform

Web App/Desktop App

Browser

Edge Version 134.0.3124.72

Operating System

Windows

Bug Description

Since lots of the apps created in our authorization server are public clients, they implement the PKCE for client authentication.
I've tried to set an authorization code flow with PKCE, so the label Code Challenge shows up, but with no additional fields like Code Verifier and Code Challenge Method, I think this might be triggering a form validation when I click Generate Token, requesting these fields (they are needed).

Image

Deployment Type

Self-hosted (on-prem deployment)

Version

v2025.7.1

Originally created by @macmessa on GitHub (Aug 28, 2025). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/5358 Originally assigned to: @anwarulislam on GitHub. ### Is there an existing issue for this? - [x] I have searched existing issues and this bug hasn't been reported yet ### Platform Web App/Desktop App ### Browser Edge Version 134.0.3124.72 ### Operating System Windows ### Bug Description Since lots of the apps created in our authorization server are public clients, they implement the PKCE for client authentication. I've tried to set an authorization code flow with PKCE, so the label `Code Challenge` shows up, but with no additional fields like `Code Verifier` and `Code Challenge Method`, I think this might be triggering a form validation when I click `Generate Token`, requesting these fields (they are needed). <img width="893" height="871" alt="Image" src="https://github.com/user-attachments/assets/19679dce-f7de-4e76-979e-db805ec449b4" /> ### Deployment Type Self-hosted (on-prem deployment) ### Version v2025.7.1
kerem 2026-03-16 22:58:43 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-03-16 22:58:59 +03:00
Author
Owner
Copy link

@Gandhi11 commented on GitHub (Sep 18, 2025):

Same problem here. I think the "algorithms" dropdown should be shown which is not the case at the moment.

<!-- gh-comment-id:3307042296 --> @Gandhi11 commented on GitHub (Sep 18, 2025): Same problem here. I think the "algorithms" dropdown should be shown which is not the case at the moment.
kerem commented 2026-03-16 22:59:04 +03:00
Author
Owner
Copy link

@Gandhi11 commented on GitHub (Sep 18, 2025):

In local development the dropdown is there. But not in builded web app or desktop app.

Image
<!-- gh-comment-id:3307147004 --> @Gandhi11 commented on GitHub (Sep 18, 2025): In local development the dropdown is there. But not in builded web app or desktop app. <img width="482" height="266" alt="Image" src="https://github.com/user-attachments/assets/3ad9a27a-32ef-4516-9733-0adb6eca0f07" />
kerem commented 2026-03-16 22:59:09 +03:00
Author
Owner
Copy link

@Gandhi11 commented on GitHub (Sep 19, 2025):

@macmessa Is the collection you are trying to add this is a imported collection? On my side it seems to work when it is a completely new collection...

<!-- gh-comment-id:3312236144 --> @Gandhi11 commented on GitHub (Sep 19, 2025): @macmessa Is the collection you are trying to add this is a imported collection? On my side it seems to work when it is a completely new collection...
kerem commented 2026-03-16 22:59:15 +03:00
Author
Owner
Copy link

@macmessa commented on GitHub (Sep 19, 2025):

@macmessa Is the collection you are trying to add this is a imported collection? On my side it seems to work when it is a completely new collection...

Yes, turns out it was because it was an imported collection, I had to create a new one and recreate all of the endpoints, making the import useless for me, in this case.

<!-- gh-comment-id:3312769156 --> @macmessa commented on GitHub (Sep 19, 2025): > @macmessa Is the collection you are trying to add this is a imported collection? On my side it seems to work when it is a completely new collection... Yes, turns out it was because it was an imported collection, I had to create a new one and recreate all of the endpoints, making the import useless for me, in this case.
kerem commented 2026-03-16 22:59:20 +03:00
Author
Owner
Copy link

@anwarulislam commented on GitHub (Oct 6, 2025):

Hello @Gandhi11, @macmessa,

Following the discussion, it seems that the issue may not be related to the PKCE implementation. The problem pertains to the failure to display all the required fields after the import of collections. However, when a new collection is created, it functions correctly. Could you please confirm if this is accurate or provide further details?

<!-- gh-comment-id:3369919183 --> @anwarulislam commented on GitHub (Oct 6, 2025): Hello @Gandhi11, @macmessa, Following the discussion, it seems that the issue may not be related to the PKCE implementation. The problem pertains to the failure to display all the required fields after the import of collections. However, when a new collection is created, it functions correctly. Could you please confirm if this is accurate or provide further details?
kerem commented 2026-03-16 22:59:25 +03:00
Author
Owner
Copy link

@macmessa commented on GitHub (Oct 6, 2025):

Hello @Gandhi11, @macmessa,

Following the discussion, it seems that the issue may not be related to the PKCE implementation. The problem pertains to the failure to display all the required fields after the import of collections. However, when a new collection is created, it functions correctly. Could you please confirm if this is accurate or provide further details?

Exactly, only fails when it's a n imported collection, it does not display all required fields.

<!-- gh-comment-id:3370669332 --> @macmessa commented on GitHub (Oct 6, 2025): > Hello @Gandhi11, @macmessa, > > Following the discussion, it seems that the issue may not be related to the PKCE implementation. The problem pertains to the failure to display all the required fields after the import of collections. However, when a new collection is created, it functions correctly. Could you please confirm if this is accurate or provide further details? Exactly, only fails when it's a n imported collection, it does not display all required fields.
kerem commented 2026-03-16 22:59:30 +03:00
Author
Owner
Copy link

@anwarulislam commented on GitHub (Oct 6, 2025):

@macmessa, thanks for the confirmation.

<!-- gh-comment-id:3370939933 --> @anwarulislam commented on GitHub (Oct 6, 2025): @macmessa, thanks for the confirmation.
kerem commented 2026-03-16 22:59:35 +03:00
Author
Owner
Copy link

@Gandhi11 commented on GitHub (Oct 9, 2025):

@anwarulislam After investigating the TeamCollection entry in the database. It look like the required key codeVerifierMethod is missing in the auth key of the data column. I think it should be "plain" or "S256".

Here's a look at the data after the postman importation.

{
"auth": {
    "addTo": "HEADERS",
    "authType": "oauth-2",
    "authActive": true,
    "grantTypeInfo": {
      "token": "",
      "isPKCE": true,
      "scopes": "",
      "clientID": "<<ClientID>>",
      "grantType": "AUTHORIZATION_CODE",
      "authEndpoint": "XXXX",
      "clientSecret": "<<ClientSecret>>",
      "tokenEndpoint": "XXXXXX",
      "authRequestParams": [],
      "tokenRequestParams": [],
      "refreshRequestParams": []
    }
  },
  ...
}

Here's a look at the data on a working collection.

{
"auth": {
    "addTo": "HEADERS",
    "authType": "oauth-2",
    "authActive": true,
    "grantTypeInfo": {
      "token": "",
      "isPKCE": true,
      "scopes": "",
      "clientID": "<<ClientID>>",
      "grantType": "AUTHORIZATION_CODE",
      "authEndpoint": "XXXX",
      "clientSecret": "<<ClientSecret>>",
      "tokenEndpoint": "XXXXXX",
      "authRequestParams": [],
      "codeVerifierMethod": "S256",
      "tokenRequestParams": [],
      "refreshRequestParams": []
    }
  },
  ...
}

Hope this help.

<!-- gh-comment-id:3385740239 --> @Gandhi11 commented on GitHub (Oct 9, 2025): @anwarulislam After investigating the TeamCollection entry in the database. It look like the required key **_codeVerifierMethod_** is missing in the auth key of the data column. I think it should be "plain" or "S256". Here's a look at the data after the postman importation. ``` { "auth": { "addTo": "HEADERS", "authType": "oauth-2", "authActive": true, "grantTypeInfo": { "token": "", "isPKCE": true, "scopes": "", "clientID": "<<ClientID>>", "grantType": "AUTHORIZATION_CODE", "authEndpoint": "XXXX", "clientSecret": "<<ClientSecret>>", "tokenEndpoint": "XXXXXX", "authRequestParams": [], "tokenRequestParams": [], "refreshRequestParams": [] } }, ... } ``` Here's a look at the data on a working collection. ``` { "auth": { "addTo": "HEADERS", "authType": "oauth-2", "authActive": true, "grantTypeInfo": { "token": "", "isPKCE": true, "scopes": "", "clientID": "<<ClientID>>", "grantType": "AUTHORIZATION_CODE", "authEndpoint": "XXXX", "clientSecret": "<<ClientSecret>>", "tokenEndpoint": "XXXXXX", "authRequestParams": [], "codeVerifierMethod": "S256", "tokenRequestParams": [], "refreshRequestParams": [] } }, ... } ``` Hope this help.
kerem commented 2026-03-16 22:59:40 +03:00
Author
Owner
Copy link

@anwarulislam commented on GitHub (Oct 13, 2025):

@Gandhi11, I just submitted the PR. It is expected to address the issue. If you could confirm and verify the changes, it would be greatly appreciated. Please inform me if it is functioning correctly.

<!-- gh-comment-id:3395932176 --> @anwarulislam commented on GitHub (Oct 13, 2025): @Gandhi11, I just submitted the PR. It is expected to address the issue. If you could confirm and verify the changes, it would be greatly appreciated. Please inform me if it is functioning correctly.
kerem commented 2026-03-16 22:59:45 +03:00
Author
Owner
Copy link

@jamesgeorge007 commented on GitHub (Oct 31, 2025):

Hi, closing this issue since the patch is now live with the latest release. Please feel free to share any feedback.

<!-- gh-comment-id:3473027273 --> @jamesgeorge007 commented on GitHub (Oct 31, 2025): Hi, closing this issue since the patch is now live with the [latest release](https://github.com/hoppscotch/hoppscotch/releases/tag/2025.10.0). Please feel free to share any feedback.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/security-fix-2026-4-0
next
fix/mockserver-env-set-url-priority
feat/rest-gql-merge
refactor/workspaces
fix/onboarding-mass-assignment
desktop-settings-phase-0-schema-bridge-shell
patch
test-webhook
pr/johnan319/5745
tembo/optimize-performance-db-queries
add-claude-github-actions-1772782423108
fix/code-scanning-103
fix/mock-server-example-endpoint-match-v2
fix/rate-limit-on-health-route
hotfix/api-doc-collection-deletetion
cd-test
fix/mock-server-backend-followup
chore/code-scanning-52
chore/verion-addition-check
nested-migrations
scripting-system-updates-worker-setup
scripting-system-updates
pr/shipko/4367
ci-test
feat/user-delete-condition
feat/user-workspace-stats-api
chore/collection-export-addition
fix/import-file-size-limit-flow
feat/dashboard-common
feat/sort-environment-alphabetically
feat/infra-config-encryption
refactor/team
feat/collection-duplicationn
feat/secure-cookies-toggle
pr/pavog/4195
pr/pavog/4196
test/patch-demo
feat/native-interceptor-updates
pr/AndrewBastin/4111
feat/user-last-active-on
fix/codemirror-large-text-scroll-bug
fix/precision-lost-beautify
fix/env-diff-test-schema-error
fix/email-case-sensitive
release/2024.3.3
refactor/workspace-login-conversion
feat/node-apline-version-upgrade
feat/seed
release/2024.3.2
fix/sh-email-handlebar-issue
feat/app-experiment-animation
release/2024.3.1
release/2024.3.0
pr/jamesgeorge007/3937
experiment/deploychan
feat/github-enterprise-auth
refactor/collection-search-query
hotfix/infra-config-reset-bug
fix/secret-var-bug
hotfix/full-text-search
hotfix/request-variable-version-syncing
feat/request-variable
feat/server-config-additional-properties
pr/JoelJacobStephen/3845
release/2023.12.6
fix/safari-codemirror-perf-bug
release/2023.12.5
release/2023.12.4
fix/secret-env-bugs-tooltip
release/2023.12.3
fix/shared-request-bug
fix/disable-context-menu-option
release/2023.12.2
release/2023.12.1
fix/shared-request-bugs
release/2023.12.0
fix/gql-history-schema
fix/actions-not-working-without-sidebar
pr/jamesgeorge007/3665
chore/desktop-app-corrections
fix/auth-headers-in-coll
fix/embed-url
improve/placeholder
add-realtime-logos
feat/shared-request-embeds
feat/collection-headers
revamp/header
release/2023.8.4
refactor/interceptor-error-display
feat/subpath-based-access
release/2023.8.3
feat/shared-requests
feat/desktop
fix/nodemailer-templates-issue
feature/upgrade-graphql-ws
fix/graphql-crashing
fix/set-environments-when-no-env-selected
refactor/pre-prisma-bump-setup
release/2023.8.2
pr/danitherex/3216
perf/raw-db-query
release/2023.8.1
revert-3348-perf/reduce-backend-calls
fix/incorrect-tab-count-close-all-tab
fix/duplicate-tab-bug
release/2023.8.0
hotfix/fetch-shortcode
fix/tab-right-click-rename-bug
chore/docker-fixes
pr/JoelJacobStephen/3178
feat/fe-accessible-auth-provider-env
feat-cherry-pick/conditional-auth-select
feat/conditional-auth-select
release/2023.4.8
fix/generate-sitemap-issue
test/backend-test-case
refactor/team-invitation
pr/AndrewBastin/3171
release/2023.4.7
fix/duplicate-team-invite
fix/unified-bg-color-coll-tree
fix/shortcode-screen-stuck
release/2023.4.6
revert-3117-patch-3
fix/env-selector-bg
fix/db-url
release/2023.4.4
fix/sync-popup-bug
fix/team-env-set-test
chore/wss-to-ws-on-env
fix/prettify-xml-response
feat/db-volume-addition
feat/env-selector-tabs-ui
bug/broken-env
release/2023.4.2
fix/switch-workspace-env-bug
fix/magic-link
fix/cookie-handler
HPS-OSS-1
staging
revert/auth-issue
feat/export-env
refactor/commons
reference/path-variables
orphan-pr/2243
feat/realtime-search
fix/save-override
refactor/strategies
feat/embeds
bug/withDefaults
feat/show-keys
refactor/toast
2026.3.1
2026.3.0
2026.2.1
2026.2.0
2026.1.1
2026.1.0
2025.12.1
2025.12.0
2025.11.2
2025.11.1
2025.11.0
2025.10.1
2025.10.0
2025.9.2
2025.9.1
2025.9.0
2025.8.1
2025.8.0
2025.7.1
2025.7.0
2025.6.1
2025.6.0
2025.5.4
2025.5.3
2025.5.2
2025.5.1
2025.5.0
2025.4.2
2025.4.1
2025.4.0
2025.3.2
2025.3.1
2025.3.0
2025.2.3
2025.2.2
2025.2.1
2025.2.0
2025.1.1
2025.1.0
2024.12.2
2024.12.1
2024.12.0
2024.11.0
2024.10.2
2024.10.1
2024.10.0
2024.9.3
2024.9.2
2024.9.1
2024.9.0
2024.8.3
2024.8.2
2024.8.1
2024.8.0
2024.7.2
2024.7.1
2024.7.0
2024.6.1
2024.6.0
2024.3.4
2024.3.3
2024.3.2
2024.3.1
2024.3.0
2023.12.6
2023.12.5
2023.12.4
2023.12.3
2023.12.2
2023.12.1
2023.12.0
2023.8.4
2023.8.3
2023.8.2
2023.8.1
2023.8.0
2023.4.8
2023.4.7
2023.4.6
2023.4.5
2023.4.4
2023.4.3
2023.4.2
2023.4.1
2023.4.0
v3.0.1
v3.0.0
v2.2.1
v2.2.0
v2.1.0
v2.0.0
v1.12.0
v1.10.0
v1.9.9
v1.9.7
v1.9.5
v1.9.0
v1.8.0
v1.5.0
v1.0.0
v0.1.0
Labels
Clear labels   
CodeDay

   
a11y

   
browser limited

   
bug

   
bug fix

   
cli

   
core

   
critical

   
design

   
desktop

   
discussion

   
docker

   
documentation

   
duplicate

   
enterprise

   
feature

   
feature

   
fosshack

   
future

   
good first issue

   
hacktoberfest

   
help wanted

   
i18n

   
invalid

   
major

   
minor

   
need information

   
need testing

   
not applicable to hoppscotch

   
not reproducible

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
refactor

   
resolved

   
sandbox

   
self-host

   
spam

   
stale

   
testmu

   
wip

   
wont fix
No labels
CodeDay
a11y
browser limited
bug
bug fix
cli
core
critical
design
desktop
discussion
docker
documentation
duplicate
enterprise
feature
feature
fosshack
future
good first issue
hacktoberfest
help wanted
i18n
invalid
major
minor
need information
need testing
not applicable to hoppscotch
not reproducible
pull-request
question
refactor
resolved
sandbox
self-host
spam
stale
testmu
wip
wont fix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hoppscotch#2048
No description provided.