The log with the description "Parameter 'code_verifier' must be between 43 and 128 characters long" shows up in the tenant logs when sending a "code_verifier" parameter that is 97-128 characters long.

• OAuth 2.0
• Proof of Key Code Exchange (PKCE)
• Code Challenge
• Code Verifier

This is expected behavior based on the RFC specifications.

According to the RFC 7636: "The code verifier SHOULD have enough entropy to make it impractical to guess the value. It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence. The octet sequence is then base64url-encoded to produce a 43-octet URL safe string to use as the code verifier."

Base64 encoding represents 3 bytes of binary data as 4 characters.

• To meet the minimum length (43): You need at least 33 random bytes. ceil(43 / 4) * 3 = 33. Encoding 33 bytes results in a 44-character string, which is valid.
• To meet the maximum length (128): You need at most 96 random bytes. floor(128 / 4) * 3 = 96. Encoding 96 bytes results in a 128-character string, which is valid.

Example: 97 bytes is exactly one byte too many. Encoding 97 bytes would result in a 132-character string (ceil(97/3)*4 = 132), which Auth0 correctly rejects as being over the 128-character limit.

When generating the code_verifier, your application must:

1. Generate a cryptographically random sequence of bytes.
2. The number of bytes must be between 33 and 96, inclusive.
3. Base64-URL encode this byte sequence (without padding).