[doc issue] OAuth2AuthorizationCode destination: clientSecret is optional but is sent in all token exchange requests #30
Description
Issue description
Hi team,
I am using Destination type OAuth2AuthorizationCode. When I create the destination in Destination Editor, it shows that client secret is optional and can be set to empty.
My authorization code flow is using PKCE, so no client secret is required. When I test the destination token exchange with client secret 'Set empty' (checking the box) or just leaving the field blank, the token exchange is failing with error
{
"error": "invalid_client",
"error_description": "Client authentication failed"
}
I can reproduce the same error if I try to perform the token exchange (to the token endpoint) myself in Postman and passing the client_secret in the request body without a value.. if I remove this client_secret key from the body, the token exchange is successful.
This leads me to believe that even when this field is set empty in Destination Editor, the destination service is still passing client_secret in the body when performing the token exchange.
PKCE is not mentioned on the help docs, is this supported for this destination type? I assume it is if 'X-code-verifier' is mentioned.
I am doing a basic test by setting up the destination, obtaining the required authorization code in my browser and then calling the /destination-configuration/v1/destinations/ REST API with the following headers
curl --request GET \
--url https://destination-configuration.cfapps.eu12.hana.ondemand.com/destination-configuration/v1/destinations/mydestination \
--header 'x-code: d34a17ee6436625e73beaee4a3ba1908' \
--header 'x-code-verifier: YXizNRUYafYrvXke0SJkKFnY_i_iVDYRPGakKaDO140' \
--header 'x-redirect-uri: http://localhost:3000/callback'
Is the documentation outdated?
Thanks!
Feedback Type (Optional)
clarity
Page Title on SAP Help Portal (prefilled)
OAuth Authorization Code Authentication