Receiving auth token in Authorization Code Grant with PKCE

What version of UAA are you running?

75.18.0

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

curl 'https://example.com/uaa/oauth/token' \
  -H 'Accept: */*' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-raw 'grant_type=authorization_code&code=111...222&redirect_uri=example.com&code_verifier=1234...5678&client_id=my.client' \
  --compressed

{"error":"unauthorized","error_description":"Bad credentials"}

What did you do?

Some time ago PKCE suport was added to UAA. I wanted to switch from oAuth2 Implicit Grant flow to Authorization Code Grant with PKCE. I’m able to get the code using browser flow, however i keep getting 401 when trying to request the token. As it’s a browser flow, of course i’m not sending Authorization header, or client_secret in the POST request to /oauth/token.

• Question - Is there even a way to request auth token in browser using flow with PKCE, without sending the client_secret?
  • i’d expect it to work similar to spotify’s implementation https://developer.spotify.com/documentation/general/guides/authorization/code-flow/
• API documentation describes receiving code using browser flow but don’t suggest what to do with the received code - this could be improved.

What did you expect to see? What goal are you trying to achieve with the UAA?

How to exchange code for token in the browser?