I’m attempting to set up an authentication flow using Authorization Code w/ PKCE flow on an app that cannot safely store the Client Secret.
The Okta app configuration is set to Web, and I am getting the error Client authentication failed. Either the client or the client credentials are invalid upon making a request with the authorization code. Do Web apps not support Authorization Code w/ PKCE without providing a Client Secret?
Hi @kevcao-certik,
Authorization Code with PKCE flow is supported by SPA or Native app types.
Ref this doc.
Web app supports Authorization Code flow which would require Client secret.
Hi,
Was facing the same issue, the confusion was caused because if we create OIDC with type as web app, it shows a check box to allow pkce flow, so i turned it on and tried to do PKCE flow and got the same client id error. If we create SPA the PKCE flow works fine. I think that should be removed as that is the source of confusion
Just to clarify here, if you want to use Authorization Code flow with a SPA, you must use PKCE. However, for a Web application (that has a Client Secret/Private Key JWT set for client auth), you can choose to use either regular Authorization Code flow or Authorization Code Flow w/ PKCE for additional security.
This article explains how the client authentication is separate from PKCE: Client Authentication vs. PKCE: Do you need both?