My Oracle Support Banner

Oracle Access Manager (OAM) Federation OAUTH Protocol - PKCE Flow Fails "Invalid Request" For Client Type "Confidential" (Doc ID 2793153.1)

Last updated on OCTOBER 20, 2022

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


In an Oauth with PCKE flow getting "Invalid Request" when attempting to get the access token using the code verifier if client type is CONFIDENTIAL_CLIENT

Back Ground - OAuth 2.0 RFC

PKCE (pronounced "pixy") is a security extension to OAuth 2.0 for public clients on mobile devices, designed to prevent interception of the authorisation code by a malicious application that has sneaked into the same device

Public clients are incapable of maintaining the confidentiality of its credentials, in other words, it’s not able to keep secret the client_secret that we use in the authorization code flow when the code is exchanged for the tokens. Such clients are SPAs and also native applications such as mobile applications. This is  why PKCE is mandatory for public clients: for the authorization server, this is the only way to ensure that.

Confidential clients, on the other hand, can safely maintain the confidentiality of its credentials. These are the clients implemented on a secure server where the access to the client_secret can be restricted. The client_secret is then passed by the client to the token endpoint along with the client_id and the  Authorization Server can authenticate the client.
At first glance, it might seem that PKCE is not required for confidential clients. However, this is not true. 






To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.