OAuth PKCE Example

I’m setting up an OAuth2 application for my Gitea Organization and I’d like to use the Proof Key for Code Exchange (PKCE) grant.

There’s a great example in the docs (OAuth2 provider - Docs), however it explicitly says:

Note: This example does not use PKCE.

I was wondering if anyone can point me to a working example? The Authorization Endpoint seems to be working fine, but when I POST to the Access Token Endpoint it throws:

Only refresh_token or authorization_code grant type is supported

which is weird because I have grant_type=authorization_code in my request.

Any nudge in the right direction is appreciated, thank you!

I had exactly the same issue.

This is my body and it says only authorization_code is supported :slight_smile:

"grant_type":"authorization_code ",

Inspecting the code in another tool notice the trailing space. I copied the example… removing the space behind authorization_code makes it work fine!

Thanks for the response @holgerflick!

I’m confused why you’re passing the client_secret though, is that necessary?

From OpenId Connect Auth Code Flow + PKCE - OneLogin API

The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret.

My colleague found that setting “Content-Type” to “application/x-www-form-urlencoded” fixed the vague grant type error we were experiencing. Hope that helps someone!