Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Receiving auth token in Authorization Code Grant with PKCE

See original GitHub issue

Issue Description

What version of UAA are you running?

75.18.0

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

curl 'https://example.com/uaa/oauth/token' \
  -H 'Accept: */*' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-raw 'grant_type=authorization_code&code=111...222&redirect_uri=example.com&code_verifier=1234...5678&client_id=my.client' \
  --compressed

{"error":"unauthorized","error_description":"Bad credentials"}

What did you do?

Some time ago PKCE suport was added to UAA. I wanted to switch from oAuth2 Implicit Grant flow to Authorization Code Grant with PKCE. I’m able to get the code using browser flow, however i keep getting 401 when trying to request the token. As it’s a browser flow, of course i’m not sending Authorization header, or client_secret in the POST request to /oauth/token.

Question - Is there even a way to request auth token in browser using flow with PKCE, without sending the client_secret?
- i’d expect it to work similar to spotify’s implementation https://developer.spotify.com/documentation/general/guides/authorization/code-flow/
API documentation describes receiving code using browser flow but don’t suggest what to do with the received code - this could be improved.

What did you expect to see? What goal are you trying to achieve with the UAA?

How to exchange code for token in the browser?

Issue Analytics

State:
Created 10 months ago
Comments:8 (4 by maintainers)

Top GitHub Comments

2reactions

strehlecommented, May 24, 2022

I know about these vendor specific definitions. auth0 is okta. they and many others - including Microsoft and SAP - does it in this way but all of them allow it if configured.

UAA will support same but similar to “autoapprove” with a flag e.g. “public” that needs to be maintained for the clients where you want use use.

0reactions

strehlecommented, May 17, 2022

Hi, ready for review https://github.com/cloudfoundry/uaa/pull/1888

Top Results From Across the Web

Authorization Code Flow with Proof Key for Code Exchange ...

The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server ; this...

Implement the OAuth 2.0 Authorization Code with PKCE Flow

The app makes the request to exchange the code for tokens, only it sends the Code Verifier instead of a fixed secret.

Authorization Code Flow With PKCE - Cloudentity

Authorization code grant with the Proof Key of Code Exchange (PKCE) is an extension of the standard authorization code grant OAuth flow.

OpenId Connect Auth Code Flow + PKCE - OneLogin API

The Authorization Code Flow + PKCE is an OpenId Connect flow specifically designed to authenticate native or mobile application users.

Auth Code Flow with PKCE - Medium

PKCE, pronounced “pixie” is an acronym for Proof Key for Code Exchange. The key difference between the PKCE and authorization code grant flow...