I am getting the error "Browser requests to the token endpoint must use Proof Key for Code Exchange" when trying to post the following request from my code. But the same is working from the postman. Am I missing anything here?
const urlEncodeData = qs.stringify({
grant_type: "client_credentials",
client_id: "xxxxxxxxxxxx",
client_secret: "xxxxxxxxxxxxx",
scope: Scope,
});
const headers: any = {
"Content-Type": "application/x-www-form-urlencoded",
};
const tokenData = await axios.post(
`${issuer}/v1/token`,
urlEncodeData,
headers
);
I tried using qs and urlsearchparams and nothing worked.
CodePudding user response:
I believe the problem is that client_credentials
flow assumes that you will be initiating a call to /token
endpoint from a back-end server and not from your browser. So it might be an additional security check on Okta side, to discourage the use of inappropriate mechanisms/solutions
CodePudding user response:
For client side application you are using and you should use PKCE Flow. Postman works because you are testing implicit flow, not the PKCE flow.