Authorization Code w/ PKCE Flow for Web Apps

I’m attempting to set up an authentication flow using Authorization Code w/ PKCE flow on an app that cannot safely store the Client Secret.

The Okta app configuration is set to Web, and I am getting the error Client authentication failed. Either the client or the client credentials are invalid upon making a request with the authorization code. Do Web apps not support Authorization Code w/ PKCE without providing a Client Secret?

Hi @kevcao-certik,

Authorization Code with PKCE flow is supported by SPA or Native app types.

Ref this doc.

Web app supports Authorization Code flow which would require Client secret.

1 Like


Was facing the same issue, the confusion was caused because if we create OIDC with type as web app, it shows a check box to allow pkce flow, so i turned it on and tried to do PKCE flow and got the same client id error. If we create SPA the PKCE flow works fine. I think that should be removed as that is the source of confusion

Just to clarify here, if you want to use Authorization Code flow with a SPA, you must use PKCE. However, for a Web application (that has a Client Secret/Private Key JWT set for client auth), you can choose to use either regular Authorization Code flow or Authorization Code Flow w/ PKCE for additional security.

This article explains how the client authentication is separate from PKCE: Client Authentication vs. PKCE: Do you need both?