Oracle Access Manager (OAM) Federation OAUTH Protocol - PKCE Flow Fails "Invalid Request" For Client Type "Confidential"
(Doc ID 2793153.1)
Last updated on OCTOBER 20, 2022
Applies to:
Oracle Access Manager - Version 12.2.1.4.0 and laterInformation in this document applies to any platform.
Symptoms
In an Oauth with PCKE flow getting "Invalid Request" when attempting to get the access token using the code verifier if client type is CONFIDENTIAL_CLIENT
- The same flow is working if client type is PUBLIC_CLIENT
Back Ground - OAuth 2.0 RFC
PKCE (pronounced "pixy") is a security extension to OAuth 2.0 for public clients on mobile devices, designed to prevent interception of the authorisation code by a malicious application that has sneaked into the same device
Public clients are incapable of maintaining the confidentiality of its credentials, in other words, it’s not able to keep secret the client_secret that we use in the authorization code flow when the code is exchanged for the tokens. Such clients are SPAs and also native applications such as mobile applications. This is why PKCE is mandatory for public clients: for the authorization server, this is the only way to ensure that.
Confidential clients, on the other hand, can safely maintain the confidentiality of its credentials. These are the clients implemented on a secure server where the access to the client_secret can be restricted. The client_secret is then passed by the client to the token endpoint along with the client_id and the Authorization Server can authenticate the client.
At first glance, it might seem that PKCE is not required for confidential clients. However, this is not true.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |