Starting with version 2019.03.2 in preview and 2019.04.0 in production, Okta supports authorization code flow with PKCE client-side. This means that the authorization code and code verifier can be sent through browser requests to the /token endpoint of the authorization server. Any other OIDC flow would need to have the request to /token endpoint done through server side.
The difference between client side requests and server side requests on /token endpoint is done by checking for “Origin” header, if the header is present, then the request is client-side.
In Postman, this issue usually occurs when you are using the browser plugin instead of the native application. The browser plugin Postman is sending automatically an Origin header containing “file://” and the application’s ID.
Can you please download the native version of Postman from here and try again?