What causes AADSTS50148?

The client generated a new code_verifier between the /authorize and /token call (e.g. session lost, page reload, or multiple tabs reusing one auth code). code_challenge_method mismatch — challenge sent as S256 but verifier computed/sent as plain (or vice versa). Incorrect base64url encoding of SHA256(code_verifier) — padding '=' not stripped, or standard base64 used instead of base64url. code_verifier length outside the RFC 7636 range (must be 43–128 unreserved characters). Authorization code reused or swapped between flows, so the verifier belongs to a different /authorize request

How do I fix AADSTS50148?

Inspect the /authorize and /token requests in your app (browser devtools or Fiddler) and confirm the same client instance/session generated both code_challenge and code_verifier — no regeneration in between. Verify the encoding: code_challenge must equal BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) with '+/=' replaced/stripped, and code_challenge_method must be 'S256'. Check code_verifier length (43–128 chars) and charset ([A-Z][a-z][0-9]-._~) — many crypto libraries emit invalid characters by default. If using MSAL.js / MSAL.NET / MSAL Python, upgrade to the latest version and let the SDK handle PKCE rather than computing it manually; remove any custom code_verifier handling. For embedded scenarios (Power BI Embedded, custom connectors, ADF linked services with OAuth), ensure the cache/session storing the verifier survives the redirect — not lost across iframes or popup windows

Low severityauthentication

Power BI Error:
AADSTS50148

What does this error mean?

The PKCE code_verifier sent to the token endpoint doesn't match the code_challenge from the original authorization request.

Common causes

1The client generated a new code_verifier between the /authorize and /token call (e.g. session lost, page reload, or multiple tabs reusing one auth code)
2code_challenge_method mismatch — challenge sent as S256 but verifier computed/sent as plain (or vice versa)
3Incorrect base64url encoding of SHA256(code_verifier) — padding '=' not stripped, or standard base64 used instead of base64url
4code_verifier length outside the RFC 7636 range (must be 43–128 unreserved characters)
5Authorization code reused or swapped between flows, so the verifier belongs to a different /authorize request

How to fix it

1Inspect the /authorize and /token requests in your app (browser devtools or Fiddler) and confirm the same client instance/session generated both code_challenge and code_verifier — no regeneration in between
2Verify the encoding: code_challenge must equal BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) with '+/=' replaced/stripped, and code_challenge_method must be 'S256'
3Check code_verifier length (43–128 chars) and charset ([A-Z][a-z][0-9]-._~) — many crypto libraries emit invalid characters by default
4If using MSAL.js / MSAL.NET / MSAL Python, upgrade to the latest version and let the SDK handle PKCE rather than computing it manually; remove any custom code_verifier handling
5For embedded scenarios (Power BI Embedded, custom connectors, ADF linked services with OAuth), ensure the cache/session storing the verifier survives the redirect — not lost across iframes or popup windows

Frequently asked questions

What does AADSTS50148 mean?

The code_verifier doesn't match t

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes