Description
I am trying to create a ReactJs single page application where I am loading the swagger contracts for number of services. Once swagger is rendered in the UI, user can directly add the clinetID/Secret to get the access token. My auth server is Okta. But when I try to get the access token I get the response
Auth Error Erro error: invalid_client, error_description: Browser requests to the token endpoint must use Proof Key for Code Exchange.
This error is actually from my IDP Okta. To reproduce locally what I did was added the "Origin" header in my curl request, and I received the same response. I see that this error is related to PKCE. When I went through the documentation, PKCE was actually introduced to mitigate the risks associated with authorization code flow. My case is different. We are treating swagger ui just as another REST client to get the token and make sample request.
Who adds the Origin header in this case ? Is it Chrome or Swagger UI ? If swagger ui does that then can we have flexibility to opt out ? I want to understand the reason behind this and pros and cons of such ask. We want to use the feature available to try out request. Because of this I am not able to get the access token from IDP using the swagger library.