I’m attempting to set up an authentication flow using Authorization Code w/ PKCE flow on an app that cannot safely store the Client Secret.
The Okta app configuration is set to Web, and I am getting the error Client authentication failed. Either the client or the client credentials are invalid upon making a request with the authorization code. Do Web apps not support Authorization Code w/ PKCE without providing a Client Secret?
Was facing the same issue, the confusion was caused because if we create OIDC with type as web app, it shows a check box to allow pkce flow, so i turned it on and tried to do PKCE flow and got the same client id error. If we create SPA the PKCE flow works fine. I think that should be removed as that is the source of confusion
Just to clarify here, if you want to use Authorization Code flow with a SPA, you must use PKCE. However, for a Web application (that has a Client Secret/Private Key JWT set for client auth), you can choose to use either regular Authorization Code flow or Authorization Code Flow w/ PKCE for additional security.