authorization code flow without code_challenge_method & code_challenge via spring-security-oauth2-client

Question

We have identity server which does not support PKCE. It cannot be modified to include PKCE.

I am trying to implement authorization code flow on same identity server using spring-security-oauth2-client , spring-boot-starter-security & webclient. The generated authorization code uses code_challenge_method & code_challenge which is giving error while accessing token. Is there any way in spring to not use PKCE by default?

I am using spring boot version 2.3.4.RELEASE

score 2 · Accepted Answer · answered Feb 10 '21 at 10:44

2

Spring Security will use PKCE only, if the client doesn't have a client-secret configured.

https://docs.spring.io/spring-security/site/docs/5.4.2/reference/html5/#oauth2Client-auth-code-grant

answered Feb 10 '21 at 10:44

Martin Theiss

775
4
5

Once I updated client-authentication-method: none to client-authentication-method: basic in application.yml it worked. Thanks @Martin Theiss – user2800089 Feb 10 '21 at 11:11

authorization code flow without code_challenge_method & code_challenge via spring-security-oauth2-client

1 Answers1