Can I create a custom OIDC IDP for a Single Page OIDC App WITHOUT client secret?

This comment from 2022 says other wise.

The context is this: I building both a custom OIDC Single Page application using PKCE and a corresponding external OIDC IDP. I am able to proceed with logging in (using the /authorize endpoint), but when i try to make a call to https://${OKTA_DOMAIN}.okta.com/oauth2/v1/token, I get the error INVALID REQUEST: The grant was issued for another authorization server..

I am planning to use PKCE and have included the code challenge on the first authorize call. I believe this issue stems because in the external IDP configuration, there is a Client Secret fill that I have filled arbitrarily. This is because when I create an OIDC application integration, there is no Client Secret there.

I only have one external IDP and one application running. I have ensured that the client_id provided during both the authorize and token are the same as the one I pass when I call Okta’s token endpoint. I suspect this is a Client Secret thing, but do not know how to create an OIDC IDP without a Client Secret.

How do I get around this?

I solved my problem. I just had to add /default to my link. The token endpoint that worked for me was

const tokenEndpoint = `https://${OKTA_DOMAIN}.okta.com/oauth2/default/v1/token`;

I want to cry.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.