error: PKCE code verifier is required when the token endpoint authentication method is 'NONE'.

kc6ba (kc6ba) asked a question.

I'm trying to do an exchange of an openID authorization code for a token, but I keep hitting this error.

When I hit the api to see how my app is configured, token_endpoint_auth_method is NOT none. It's client_secret_basic (which I am using)

"oauthClient": {

"autoKeyRotation": true,

"client_id": "****************",

"client_secret": "**************************",

"token_endpoint_auth_method": "client_secret_basic"

And the code to exchange the token:

response = requests.post(

TOKEN_URL,

headers={

"Accept": "application/json",

"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",

"authorization": "Basic {}".format(CLIENT_SECRET_BASIC)

data={

"grant_type": "authorization_code",

"code": code,

)

Is this a bug with Okta? What am I doing wrong?

kc6ba (kc6ba)
6 years ago
I eventually figured it out, Okta's v3 JavaScript Sign-In Widget was initiating a PKSE flow even when explicitly told not to. I downgraded to the v2.60 Sign-In Widget and it worked.
Expand Post
Selected as Best

molly.masterson1.5499146976511477E12 (Okta)
6 years ago
Hey Seth! Thanks for posting.

We have resources available specifically for developers at https://developer.okta.com, including a Developer Forum (https://devforum.okta.com/) and documentation. If you are unable to find the solutions you're looking for there, we would encourage you to contact our dedicated Developer Support team at developers@okta.com, and they will be able to help you out.
Expand Post
kc6ba (kc6ba)
6 years ago
I eventually figured it out, Okta's v3 JavaScript Sign-In Widget was initiating a PKSE flow even when explicitly told not to. I downgraded to the v2.60 Sign-In Widget and it worked.
Expand Post
Selected as Best