PKCE + Resource Owner Username and Password


Is it possible to get access token using resource owner username and password if client authentication is configured to use PKCE (NO client secret)?

We need this for end to end test cases for our API(s), end to end test cases are written using postman/newman.


no, it is not possible; the password grant requires client authentication for the token request

Actually looks like this does work with a Native app (in Okta) with Use PKCE (for public clients) enabled for the Client Authentication method.

curl --location --request POST '' \
--header 'Accept: application/json' \
--header 'Authorization: Basic {base64encoded_client_id}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={username}' \
--data-urlencode 'password={password}' \
--data-urlencode 'scope=openid offline_access groups'

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.