What causes AADSTS501491?

The code_challenge is shorter than 43 or longer than 128 characters, violating RFC 7636 §4.2. The code_verifier was hashed but not base64url-encoded (or was base64-encoded with padding/+//= characters instead of -/_ ). The code_challenge_method is set to S256 but the value sent is the raw code_verifier instead of its SHA-256 hash. A custom or outdated MSAL/ADAL wrapper truncates or pads the challenge before sending. The code_verifier itself is outside the 43-128 char range, producing an invalid challenge downstream

How do I fix AADSTS501491?

Verify your code_verifier is a cryptographically random string of 43-128 characters using only [A-Z][a-z][0-9] and -._~ (RFC 7636 §4.1). If using code_challenge_method=S256, ensure you compute SHA-256(code_verifier) and then base64url-encode it WITHOUT padding — the result must be exactly 43 chars. Switch to MSAL.js / MSAL.NET / MSAL Python which handle PKCE generation correctly out of the box, instead of hand-rolling the flow. Inspect the actual /authorize request in browser DevTools (Network tab) and confirm the code_challenge length matches the rules above. If you're embedding Power BI via the JavaScript SDK or a custom auth proxy, update to the latest version — older builds had PKCE encoding bugs

High severityauthentication

Power BI Error:
AADSTS501491

What does this error mean?

PKCE code_challenge parameter has an invalid length — must be a 43-128 character base64url-encoded SHA-256 hash.

Common causes

1The code_challenge is shorter than 43 or longer than 128 characters, violating RFC 7636 §4.2
2The code_verifier was hashed but not base64url-encoded (or was base64-encoded with padding/+//= characters instead of -/_ )
3The code_challenge_method is set to S256 but the value sent is the raw code_verifier instead of its SHA-256 hash
4A custom or outdated MSAL/ADAL wrapper truncates or pads the challenge before sending
5The code_verifier itself is outside the 43-128 char range, producing an invalid challenge downstream

How to fix it

1Verify your code_verifier is a cryptographically random string of 43-128 characters using only [A-Z][a-z][0-9] and -._~ (RFC 7636 §4.1)
2If using code_challenge_method=S256, ensure you compute SHA-256(code_verifier) and then base64url-encode it WITHOUT padding — the result must be exactly 43 chars
3Switch to MSAL.js / MSAL.NET / MSAL Python which handle PKCE generation correctly out of the box, instead of hand-rolling the flow
4Inspect the actual /authorize request in browser DevTools (Network tab) and confirm the code_challenge length matches the rules above
5If you're embedding Power BI via the JavaScript SDK or a custom auth proxy, update to the latest version — older builds had PKCE encoding bugs

Frequently asked questions

What does AADSTS501491 mean?

Invalid size of Code_Challenge parameter.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes