[BUG] RSO Login ‘Invalid or expired authorization code, Redirection URI mismatch or PCKE verification failure’

[ramezsw]

Bug Description
When trying to login through the Riot single sign-on page, the login fails and returns the below error in the redirect URI response.

‘Invalid or expired authorization code, Redirection URI mismatch or PCKE verification failure’

Problem Description
The API Key used is fine and not expired. It's been working for many months, only started to fail on ~October 13th.

Expected Result
Upon successfully logging in using Riot Account credentials, users should be authenticated in the third-party app.

Actual Result
Call to redirect URI fails with 400 Error code, with the error mentioned above.

Developer Impact
Consistent frequency on any log in attempt. Using different browesrs/incognito is not fixing the issue. Also manually entering the riot username/pass instead of login with google etc is not working.

• Frequency: Consistent, on any attempt to Sign in with Riot.
• Severity: Users cannot link their Riot accounts on our platform.

Preconditions
N/A

Has there been any changes in the RSO endpoints recently? We could not find any documentation changes online, however, sites like tracker.gg were showing the same error starting October 13th. But it appears that issue is now fixed on tracker.gg

[xorth]

Can confirm we are experiencing this too. (Tracker.gg)

[ramezsw]

Thanks for looking into this. We managed to find a solution to issue in www.gamerg.gg by changing the parameter structure of /token endpoint, it seems the structure of the Bearer token is a bit different starting from 13th October, which was causing the error.

The RSO API doc has no mention of any recent changes, so we're not sure what changed behind the scenes to start causing the issue, but we found our workaround/solution by trying out different methods as documented in this RFC https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3

[lucasMesquitaBorges]

@ramezsw thanks for the update!
@xorth are you still facing this issue? If it's ongoing, please provide an example curl

[Freakyygg]

I am running into the same issue sadly.

I figured out that if a user already has the "APP" in here https://account.riotgames.com/#connected-accounts that everything works perfectly fine. New users how ever cant link their accounts due to the issue mentioned above. I alos created a Developer ticket regarding this sadly no response since ~2 weeks.

@lucasMesquitaBorges I hope that this helps

@ramezsw any chance to give all the other ones that struggle with this issue the solution you where able to find?

[Jagooodek]

@lucasMesquitaBorges
I am running into the same issue, example curl:
curl --location 'https://auth.riotgames.com/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \ --data-urlencode 'client_assertion=jwt' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'code=code_from_callback' \ --data-urlencode 'redirection_uri=https://mleapp.com/profile?verify=lol'

response:
400
{ "error": "invalid_request", "error_description": "Invalid or expired authorization code, redirection URI mismatch, or PKCE verification failure" }

[ramezsw]

@Freakyygg - Sure, the fix was simply to modify our call to /token endpoint and use Basic Authentication (Base64). As mentioned in my initial comment, the solution for us was precisely in the RFC section 4.1.3 in the link I shared.

Below is a simple cURL request that might help you.

curl -X POST 'https://auth.riotgames.com/token' \ 
-H 'Content-Type: application/x-www-form-urlencoded' \ 
-H 'Authorization: Basic <Base64 of clientid & secret>' \ 
--data-urlencode 'grant_type=authorization_code' \ 
--data-urlencode 'code=<code from /authorize>' \ 
--data-urlencode 'redirect_uri=<your_callback_url>'

Previously, we were calling the /token directly with the clientid and client secret, and letting the riot auth server do the rest. This method was working for quite a long time, only a couple of weeks back it broke mysteriously and started returning malformed access tokens, so we just followed the OAuth protocol as per the RFC to fix it.

I hope this helps.

[Jagooodek]

There are two methods of authorization Client Secret Basic - Private Key JWT.

I belive that we're forced to use the one that riot set up for us, we don't have client secret, we need to use jwt. And authentication with jwt is out of linked RFC specification.

@ramezsw 's solution unfortunately doesn't help us.

[Freakyygg]

@Freakyygg - Sure, the fix was simply to modify our call to /token endpoint and use Basic Authentication (Base64). As mentioned in my initial comment, the solution for us was precisely in the RFC section 4.1.3 in the link I shared.

Below is a simple cURL request that might help you.

curl -X POST 'https://auth.riotgames.com/token' \ 
-H 'Content-Type: application/x-www-form-urlencoded' \ 
-H 'Authorization: Basic <Base64 of clientid & secret>' \ 
--data-urlencode 'grant_type=authorization_code' \ 
--data-urlencode 'code=<code from /authorize>' \ 
--data-urlencode 'redirect_uri=<your_callback_url>'

Previously, we were calling the /token directly with the clientid and client secret, and letting the riot auth server do the rest. This method was working for quite a long time, only a couple of weeks back it broke mysteriously and started returning malformed access tokens, so we just followed the OAuth protocol as per the RFC to fix it.

I hope this helps.

Thank you that resolved the issue it seems like as I was able to link my accouts now.

[lucasMesquitaBorges]

@Jagooodek About the curl you provided:

• Field client_assertion: I'm assuming you're providing the sample token when you register a JWK or a self generated token using your private key with a valid expiry time.
• Field redirection_uri is invalid, it needs to be renamed to redirect_uri

After checking these items, it should work.

Also, if you want, you can ask us to change your app from Private Key JWT to Client Secret Basic at https://support-developer.riotgames.com