1

Created a Swagger UI for APIs and wanted to expose the APIs using this Swagger(Means the app doesn't have any other UI set up other than this Swagger). Swagger has been configured for OAuth2 ClientCredential flow and it's token url is https://{{domain}}.okta.com/oauth2/{{OAuthServrID}}/v1/token, but while Authorizing, getting the below error {error: invalid_client, description: Browser requests to the token endpoint must use Proof Key for Code Exchange}

I have seen few post regarding this issue like Okta introduced this requirement to prevent the client credentials flow from being used in web browsers. But is there a solution or workaround for this ?

roby.elan
  • 134
  • 1
  • 10
  • You could use auth code flow with PKCE. Why do you want to use client credentials in a browser? That's usually reserved for machine-to-machine authentication. – Matt Raible Nov 10 '21 at 14:09
  • Swagger UI has the [`usePkceWithAuthorizationCodeGrant`](https://github.com/swagger-api/swagger-ui/blob/master/docs/usage/oauth2.md) config option, try setting it to `true`. – Helen Nov 10 '21 at 15:26
  • @MattRaible : Swagger support ClientCredential flow right, and swagger can be tested from browser right?(Since swagger is deployed as a website in AWS S3) or you meant ClientCredential flow should only be tested using API testing tool like postman? Correct me if I'm wrong! – roby.elan Nov 11 '21 at 07:35
  • @Helen usePkceWithAuthorizationCodeGrant is not applicable for ClientCredential flow, right ? and I want to use ClientCredential flow only since my requirement is server-to-server interaction(swagger app behalf of user) – roby.elan Nov 11 '21 at 07:38
  • Wait, is PKCE even applicable to the Client Credentials flow? It's an [extension to the Authorization Code flow](https://oauth.net/2/pkce/). Are you sure you're using the correct flow? – Helen Nov 11 '21 at 08:12
  • Or it could be that Swagger UI is not the right tool to test the Client Credentials flow since it's a web page rather than a server in a server-to-server environment. You might want to use a non-browser API testing tool like SoapUI or Postman. – Helen Nov 11 '21 at 08:18
  • I intended to use swagger as an API interface for all of our API, so that the API consumers get a more pleasant experience than they would with tools like postman :( – roby.elan Nov 11 '21 at 11:51

0 Answers0