If I use this example on locahost static page PKCE flow works perfectly:
var qs = (function(a) {
if (a == "") return {};
var b = {};
for (var i = 0; i < a.length; ++i)
{
var p=a[i].split('=', 2);
if (p.length == 1)
b[p[0]] = "";
else
b[p[0]] = decodeURIComponent(p[1].replace(/\+/g, " "));
}
return b;
})(window.location.search.substr(1).split('&'));
if(qs['code'] == null)
{
document.location.href = authorize_url + "?response_type=code&client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&state=" + state + "&scope=" + scope + "&nonce=" + nonce + "&code_challenge=" + code_challenge + "&code_challenge_method=S256";
}else{
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
xhr.onerror = function() {
console.log('Invalid URL or Cross-Origin Request Blocked. You must explicitly add this site (' + window.location.origin + ') to the list of allowed websites in the administrator UI');
}
xhr.onload = function() {
console.log(this.responseText);
};
xhr.open('POST', token_url, true);
xhr.setRequestHeader("Accept", 'application/json');
xhr.setRequestHeader("Content-Type", 'application/x-www-form-urlencoded');
xhr.send('grant_type=authorization_code&client_id=' + client_id + '&redirect_uri=' + redirect_uri + '&code=' + qs['code'] + '&code_verifier=' + code_verifier);
} else {
console.log("CORS is not supported for this browser!")
}
}
but if use this code in background or content script in chrome extension - I got 403 response from token url with no data… When I send same request with curl I got 200 and token. Please, advice.