[BUG] RSO Login ‘Invalid or expired authorization code, Redirection URI mismatch or PCKE verification failure’

[ramezsw]

Bug Description
When trying to login through the Riot single sign-on page, the login fails and returns the below error in the redirect URI response.

‘Invalid or expired authorization code, Redirection URI mismatch or PCKE verification failure’

Problem Description
The API Key used is fine and not expired. It's been working for many months, only started to fail on ~October 13th.

Expected Result
Upon successfully logging in using Riot Account credentials, users should be authenticated in the third-party app.

Actual Result
Call to redirect URI fails with 400 Error code, with the error mentioned above.

Developer Impact
Consistent frequency on any log in attempt. Using different browesrs/incognito is not fixing the issue. Also manually entering the riot username/pass instead of login with google etc is not working.

• Frequency: Consistent, on any attempt to Sign in with Riot.
• Severity: Users cannot link their Riot accounts on our platform.

Preconditions
N/A

Has there been any changes in the RSO endpoints recently? We could not find any documentation changes online, however, sites like tracker.gg were showing the same error starting October 13th. But it appears that issue is now fixed on tracker.gg

[xorth]

Can confirm we are experiencing this too. (Tracker.gg)

[ramezsw]

Thanks for looking into this. We managed to find a solution to issue in www.gamerg.gg by changing the parameter structure of /token endpoint, it seems the structure of the Bearer token is a bit different starting from 13th October, which was causing the error.

The RSO API doc has no mention of any recent changes, so we're not sure what changed behind the scenes to start causing the issue, but we found our workaround/solution by trying out different methods as documented in this RFC https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3