Oh yeah, I remember this one. I don't remember if this is still ... • Aaron Parecki

Brock Allen https://twitter.com/BrockLAllen • Feb 25
Hey @aaronpk, can you explain this help article? It makes no sense to me. TIA

https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-for-Code-Exchange?language=en_US

Oh yeah, I remember this one. I don't remember if this is still current behavior, but basically Okta is tying to prevent browsers from using anything other than the authorization code PKCE flow. It does that by detecting the Origin header which isn't sent by server apps.

Portland, Oregon • 34°F

Thu, Feb 24, 2022 6:50pm -08:00

1 like 11 replies
- Hirsch Singhal
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  I totally agree, this error message makes no sense. I'm going to file a ticket tomorrow internally to fix it.
  
  Fri, Feb 25, 2022 3:18am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  Arguably, tho, PKCE and putting a client secret into a SPA are orthogonal. It's conflating two things that work differently. Poor devs can't understand those differences. The error should be "we see you sent a client secret and an Origin header. is your client a SPA?"
  
  Fri, Feb 25, 2022 3:10am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  yep you guessed it! misleading error message but that's exactly what was going on.
  
  Fri, Feb 25, 2022 3:07am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Yep, I confirmed my suspicion. Misleading error message. Will post details on the github thread.
  
  Fri, Feb 25, 2022 3:03am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  Ah, good question -- I didn't notice that. I bet their client config is misconfigured then.
  
  Fri, Feb 25, 2022 3:00am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  why does that example have the browser sending a client secret in the request? That seems odd. Happy to continue this over on the github thread.
  
  Fri, Feb 25, 2022 2:58am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  Well, using PKCE for all code-flow scenarios fixes that :)
  
  Fri, Feb 25, 2022 2:55am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  People are asking, when using standards compliant OIDC client libraries: github.com/authts/oidc-cl…
  
  Fri, Feb 25, 2022 2:55am +00:00 (via brid.gy)
- Hirsch Singhal twitter.com/hpsin_
  
  Helps prevent devs from putting their client secrets in a web page to perform the client creds flow, yep. When AAD enabled this, we definitely got a couple support calls on that. This was how we ratcheted forward PKCE use from suggested to required as well.
  
  Fri, Feb 25, 2022 2:55am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Yeah that's right. I agree it's super confusing and has caused some tricky issues before. It may be different in the new platform but I'd have to double check
  
  Fri, Feb 25, 2022 2:53am +00:00 (via brid.gy)
- Brock Allen twitter.com/BrockLAllen
  
  It's confusing as hell, and I'm confused by the implementation -- on the token endpoint if Origin is present, you require that the authz used PKCE? That's about the only valid approach to that I can imagine.
  
  Fri, Feb 25, 2022 2:53am +00:00 (via brid.gy)

Posted in /replies using indigenous.abode.pub/ios