Token Endpoint call - Works on Chrome/Firefox NOT Internet Explorer 11 (IE 11)


I have a situation where my PKCE flow works in chrome/firefox but not in IE 11. By PKCE flow I mean:

  1. SEND AUTHORIZE REQUEST- From MyApp.js calld okta/authorize endpoint with code, clientid, scope, state, redirect uri, code_challenge, etc…
  2. RECEIVE CODE - MyApp receives a CODE from Okta as part of http://myapp?code=232f23423
  3. SEND TOKEN REQUEST -From MyApp.js call v1/token endpoint sending back the code along with the code verifier, etc…

Comparing the calls in step 1, the GET url params in the authorize request are identical. So I do get a code back from Okta in both scenarios… However my step 3 (token request), ALWAYS returns a 403 when running in IE. The form params look identical here as well.

Is anyone aware of any gotchas or things to be aware of when making the token request in IE 11. Are there additional settings that I need to be making (its an XMLHttpRequest POST) that I am making.

Thank you Okta community for any help/insights!


Hi @cking27

Can you please try the authorization code flow with PKCE with the sample available here? I’ve tested it now on IE version 11.885.17134 and it worked successfully.

Thank you @dragos for your reply! I can confirm based on your sample PKCE example this does work in IE 11. With this code I was able to verify that my problem relies on some additional security settings (that I am still nailing down) that my company has placed on internal builds of IE. Very helpful, tks!

@dragos, I happen to be seeing small differences in how I do the sha256/base64encoding of a string in the libraries I’m using in IE11. In your example I see you have the code challenge hardcoded for simplicity sake. Do you happen to know what lib u used to do the generation?

Sorry @dragos, you can ignore. I hadn’t noticed that the base64 encoding done by code that I had grabbed(Okta pkce example) did some char replacement before sending the code challenge string.

.replace(/\+/g, '-').replace(
                    /\//g, '_')
                .replace(/=+$/, '');

Once I had done that things began to work.