Renew Access_token - Browser requests to the token endpoint must use Proof Key for Code Exchange

We have configured PKCE and initial call to /authorize we passed code_challenge_method=S256 and code_challenge. We use Authorization_code flow. When Im trying to renew access_toek by passing refresh_token as below im getting

Browser requests to the token endpoint must use Proof Key for Code Exchange. Request help on this.

we tried below format as well and same error. Both worked well in Postman

What type of application is this registered in Okta web/SPA?
For the refresh_token grant_type, if the application making the /token call is a public application (browser JS), there is no /token endpoint credentials passed (no Authorization header), only the client_id.

When the first /token endpoint is called during the authorize flow, is it being done from a backend server (not browser JS)?

Hi Erik,

Application registered as Web in OKTA.
Yes initial /token endpoint called from server side where we passed code_verifier and got response wth access_token, id_token, refresh_token.

Made changes as you suggest as below and now we are getting other error “‘{“error”:“invalid_client”,“error_description”:“Client authentication failed. Either the client or the client credentials are invalid.”}’” We used same clientId passed in the /authorize endpoint

Hi Pulikkan,

The application you have registered in Okta is a web application and the token endpoint is setup to require a client secret. You won’t be able to just send the client_id.

For an OIDC application in Okta that is setup as a web app, it will require credentials for the /token endpoint. This means you will not be able to make this call from browser JS.

You can replicate this in Postman by adding the http header ‘origin’ when making the call, you will receive the same error as when making this call via xhr/ajax/fetch/etc from a browser.

/token calls from browser JS can only happen if the OIDC application registered in Okta uses PKCE and has no /token endpoint credentials.

Is it possible for you to make the refresh token call from your backend server and pass it back to the FE like you must be doing as part of the initial login flow?

1 Like

Initial /authorize and /token endpoint calls we made from server side(we passed code_Verifier for /token and code_challenge, code-ChallengeMethod for /authorize endpoint)

Please find our app config details in OKTA

I can make call from server side but i guess it will require an additional roundtrip which i would like to eliminate. With the above configuration, can i make call from browser to renew access_token? If i can, could you pleas elet me know the parameters to pass(headers and data params)

For Client authentication you would need to set this to none.

Hi Erik, which one should I set to none?

You need to have a SPA or Native app to have this as an option. Web apps will always have either a Client Secret or Public key / Private key auth type in Okta. SPAs will have the option to just use PKCE auth and NOT have a Client Secret Set.

See this guide for app set-up instructions: Implement authorization by grant type | Okta Developer

with my app configured as web, Im able to get tokens initially(call made from server side) by passing code_verifier, code_challenge_method and Code_challenge. I was having issue only when i tried to renew access_token. So are you saying if we configured as web, we wont be able to renew access_token from front end call ?