I’m setting up an OAuth2 application for my Gitea Organization and I’d like to use the Proof Key for Code Exchange (PKCE) grant.
There’s a great example in the docs (OAuth2 provider - Docs), however it explicitly says:
Note: This example does not use PKCE.
I was wondering if anyone can point me to a working example? The Authorization Endpoint seems to be working fine, but when I POST to the Access Token Endpoint it throws:
Only refresh_token or authorization_code grant type is supported
which is weird because I have
grant_type=authorization_code in my request.
Any nudge in the right direction is appreciated, thank you!
I had exactly the same issue.
This is my body and it says only authorization_code is supported
Inspecting the code in another tool notice the trailing space. I copied the example… removing the space behind authorization_code makes it work fine!
Thanks for the response @holgerflick!
I’m confused why you’re passing the
client_secret though, is that necessary?
From OpenId Connect Auth Code Flow + PKCE - OneLogin API
The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret.
My colleague found that setting “Content-Type” to “application/x-www-form-urlencoded” fixed the vague grant type error we were experiencing. Hope that helps someone!