FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Authorization Code with PKCE and without Client Secret in Postman

    Scheduled Pinned Locked Moved
    Comments & Feedback
    0
    6
    6.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      felix
      last edited by

      I'm trying to get my browser extension to authenticate against FA using OAuth2. Authorization Code with PKCE seems to be the answer, but I keep getting stuck at the token endpoint.

      I'm getting a 401 error:

      {"error":"invalid_client","error_description":"Invalid client authentication credentials.","error_reason":"invalid_client_authentication"}

      Authentication works great from Postman when adding the Client Secret to the Authentication options, but that defeats the purpose of PKCE.

      Do you have a Postman example and FA Application setup to test?

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        What does your application config look like?

        If you don't want client authentication to be enforced, you need to configure the application to do this.

        https://fusionauth.io/docs/v1/tech/core-concepts/applications/#oauth

        Client Authentication
        This selector allows you to set a rule for accessing the Token endpoint.
        Required - The client_secret parameter must be used. This is the default setting. In most cases you will not want to change this setting.
        Not required - Use of the client_secret parameter is optional.
        Not required when using PKCE - Requires the use of the client_secret parameter unless a valid PKCE code_verifier parameter is used. This is useful for scenarios where you have a requirement to make a request to the Token endpoint where you cannot safely secure a client secret such as native mobile applications and single page applications (SPAs) running in a browser. In these scenarios it is recommended you use PKCE.
        See the Token endpoint for more information.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • F
          felix
          last edited by

          @dan, I have tried every possible combination of Client Authentication and PKCE settings. Nothing seems to work. Currently I have this config:

          Screen Shot 2021-09-29 at 12.18.10.png

          1 Reply Last reply Reply Quote 0
          • robotdanR
            robotdan
            last edited by robotdan

            Is there anything interesting in the Debug Event log?

            I'll also note if you do not want to require client authentication, ensure you are not sending a client_secret. Regardless of your configuration, if provided it will be validated.

            1 Reply Last reply Reply Quote 0
            • robotdanR
              robotdan
              last edited by

              @felix said in Authorization Code with PKCE and without Client Secret in Postman:

              "Invalid client authentication credentials."

              From the error you posted, it appears you are using the client credentials grant. This grant is not part of the OAuth2 application configuration and does not support PKCE. The client credentials grant will require a client_id and client_secret from the Entity.

              https://fusionauth.io/docs/v1/tech/oauth/endpoints/#client-credentials-grant-request

              1 Reply Last reply Reply Quote 0
              • F
                felix
                last edited by

                Ok, I found the problem.

                I was sending an Authorization header, because that was the default option in Postman. Now I tried it with the other option which is "Send client credentials in body" and it works.

                The documentation about the token endpoint had me a bit confused, that's why I kept sending an (invalid) Authorization header. Now that I post an empty client_secret parameter in the body and NO Authorization header to the token endpoint, things are working fine.

                Thanks for pointing me in the right direction, @robotdan and @dan.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post