Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Receiving auth token in Authorization Code Grant with PKCE

See original GitHub issue

What version of UAA are you running?


What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

curl '' \
  -H 'Accept: */*' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-raw 'grant_type=authorization_code&code=111...222&' \
{"error":"unauthorized","error_description":"Bad credentials"}

What did you do?

Some time ago PKCE suport was added to UAA. I wanted to switch from oAuth2 Implicit Grant flow to Authorization Code Grant with PKCE. I’m able to get the code using browser flow, however i keep getting 401 when trying to request the token. As it’s a browser flow, of course i’m not sending Authorization header, or client_secret in the POST request to /oauth/token.

What did you expect to see? What goal are you trying to achieve with the UAA?

How to exchange code for token in the browser?

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

strehlecommented, May 24, 2022

I know about these vendor specific definitions. auth0 is okta. they and many others - including Microsoft and SAP - does it in this way but all of them allow it if configured.

UAA will support same but similar to “autoapprove” with a flag e.g. “public” that needs to be maintained for the clients where you want use use.

strehlecommented, May 17, 2022
Read more comments on GitHub >

github_iconTop Results From Across the Web

Authorization Code Flow with Proof Key for Code Exchange ...
The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server ; this...
Read more >
Implement the OAuth 2.0 Authorization Code with PKCE Flow
The app makes the request to exchange the code for tokens, only it sends the Code Verifier instead of a fixed secret.
Read more >
Authorization Code Flow With PKCE - Cloudentity
Authorization code grant with the Proof Key of Code Exchange (PKCE) is an extension of the standard authorization code grant OAuth flow.
Read more >
OpenId Connect Auth Code Flow + PKCE - OneLogin API
The Authorization Code Flow + PKCE is an OpenId Connect flow specifically designed to authenticate native or mobile application users.
Read more >
Auth Code Flow with PKCE - Medium
PKCE, pronounced “pixie” is an acronym for Proof Key for Code Exchange. The key difference between the PKCE and authorization code grant flow...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found