Authorization Code w/ PKCE Flow for Web Apps

I’m attempting to set up an authentication flow using Authorization Code w/ PKCE flow on an app that cannot safely store the Client Secret.

The Okta app configuration is set to Web, and I am getting the error Client authentication failed. Either the client or the client credentials are invalid upon making a request with the authorization code. Do Web apps not support Authorization Code w/ PKCE without providing a Client Secret?

Hi @kevcao-certik,

Authorization Code with PKCE flow is supported by SPA or Native app types.

Ref this doc.

Web app supports Authorization Code flow which would require Client secret.

1 Like