User16576334792081707005 (Customer) asked a question.
Under this page:
https://developer.okta.com/docs/concepts/oauth-openid/*authorization-code-flow-with-pkce
The flow *6 (send authorization code + code_verifier to /token) does not work for me as documented.
Documentation details are at:
https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/
This says in section "Exchange the code for tokens": "Unlike the regular Authorization Code flow, this call doesn't require the Authorization header with the Client ID and secret. That is why this version of the Authorization Code flow is appropriate for native apps."
In fact, when I just sent the client_id in the body as suggested (x-www-form-urlencoded), then OKTA replied with HTTP 400 stating that the client cannot be identified. I did not specify the client secret in the body, as the documentation does not mention it.
When I in addition sent the basic auth header, then OKTA replied with "multiple credentials" error, which I found rightful as the client ID has been specified in both the authorization header and the body.
Then, I omitted the client_id from the body, keeping the basic authorization header, and then I got the positive reply with HTTP 200 and getting the access token, etc.
Please clarify why this behavior occurs.
When I do it according to the documentation, then I get HTTP 400.
Hi @User16576334792081707005 (Customer),
Sounds like a document defect to me, but I would open a support ticket and let them verify. In general the related spec would be the place to check how it needs to work.
-Jani
Thank you for taking a look at it, Jani.
I filed a support ticket, number 01487655.
I will post the final outcome to this thread.