From 3361ed29e6f869527846d5a601197dae347e1c92 Mon Sep 17 00:00:00 2001 From: Baris Sencan Date: Sun, 1 Mar 2026 18:38:29 +0000 Subject: [PATCH] Fix PKCE code verifier not being generated for initial OAuth flow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When `create_oauth_flow()` is called without an explicit `code_verifier` (i.e. during the initial auth flow in `start_auth_flow()`), the function never sets `autogenerate_code_verifier=True` on the Flow constructor. oauthlib 3.2+ automatically adds `code_challenge` to the authorization URL at the session level, so Google expects a matching `code_verifier` during the token exchange. However, since `Flow.code_verifier` remains `None`, that `None` gets stored in the session store and later passed back during the callback — causing Google to reject the token exchange with `(invalid_grant) Missing code verifier`. The fix adds `autogenerate_code_verifier=True` in the else branch so the Flow object generates and exposes a proper PKCE code verifier that gets stored and reused during the callback token exchange. Co-Authored-By: Claude Opus 4.6 --- auth/google_auth.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/auth/google_auth.py b/auth/google_auth.py index 942d2f5..f9b7947 100644 --- a/auth/google_auth.py +++ b/auth/google_auth.py @@ -306,6 +306,12 @@ def create_oauth_flow( flow_kwargs["code_verifier"] = code_verifier # Preserve the original verifier when re-creating the flow in callback. flow_kwargs["autogenerate_code_verifier"] = False + else: + # Generate PKCE code verifier for the initial auth flow. + # Without this, oauthlib 3.2+ adds code_challenge to the auth URL + # at the session level, but Flow.code_verifier stays None. + # Google then rejects the token exchange with "Missing code verifier". + flow_kwargs["autogenerate_code_verifier"] = True # Try environment variables first env_config = load_client_secrets_from_env()