Brock Allen · Feb 25, 2022 · 2:10 AM UTC

Brock Allen

Brock Allen @BrockLAllen

25 Feb 2022

Hey @aaronpk, can you explain this help article? It makes no sense to me. TIA support.okta.com/help/s/arti…

Aaron Parecki · Feb 25, 2022 · 2:50 AM UTC

Aaron Parecki · Feb 25, 2022 · 2:50 AM UTC

Aaron Parecki @aaronpk

25 Feb 2022

Replying to @BrockLAllen

Oh yeah, I remember this one. I don't remember if this is still current behavior, but basically Okta is tying to prevent browsers from using anything other than the authorization code PKCE flow. It does that by detecting the Origin header which isn't sent by server apps.

Feb 25, 2022 · 2:50 AM UTC

Brock Allen · Feb 25, 2022 · 2:53 AM UTC

Brock Allen @BrockLAllen

25 Feb 2022

Replying to @aaronpk

It's confusing as hell, and I'm confused by the implementation -- on the token endpoint if Origin is present, you require that the authz used PKCE? That's about the only valid approach to that I can imagine.

Aaron Parecki · Feb 25, 2022 · 2:53 AM UTC

Aaron Parecki @aaronpk

25 Feb 2022

Yeah that's right. I agree it's super confusing and has caused some tricky issues before. It may be different in the new platform but I'd have to double check

more replies