Hello!
Authorization button doesn't work with Okta JWT token provider and `clientCredentials` flow.
Having `securitySchemes` section like:
securitySchemes: publicApiKey: type: apiKey name: Authorization in: header myOAuth2: type: oauth2 flows: clientCredentials: tokenUrl: https://my.okta.com/oauth2/default/v1/token scopes: api_public: access to the endpoint
Dev portal web UI always sends `origin` header. Okta responds with `Access-Control-Allow-Origin` when creds are valid, but the response code is 401 and the body:
{ "error": "invalid_client", "error_description": "Browser requests to the token endpoint must use Proof Key for Code Exchange." }
because of https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-fo....
Thus, I question is it possible to change something on Apigee side to prevent sending `origin` header at least for the `clientCredentials` flow?
My point here: any server besides Okta should consider requests with `origin` header as browser requests and thus it has its right to respond with an error when it expects a call from a server.
----
This is not similar but close to https://community.apigee.com/questions/61809/dev-portal-invocation-external-oauth.html as Okta is customizable and can respond with the same header as the origin in the CORS header.
Artem, let me see if I can find someone to help out with this question.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |