Hey @aaronpk, can you explain this help article? It makes no sense to me. TIA support.okta.com/help/s/arti…

Oh yeah, I remember this one. I don't remember if this is still current behavior, but basically Okta is tying to prevent browsers from using anything other than the authorization code PKCE flow. It does that by detecting the Origin header which isn't sent by server apps.

It's confusing as hell, and I'm confused by the implementation -- on the token endpoint if Origin is present, you require that the authz used PKCE? That's about the only valid approach to that I can imagine.

Yeah that's right. I agree it's super confusing and has caused some tricky issues before. It may be different in the new platform but I'd have to double check

People are asking, when using standards compliant OIDC client libraries: github.com/authts/oidc-clien…

why does that example have the browser sending a client secret in the request? That seems odd. Happy to continue this over on the github thread.

Ah, good question -- I didn't notice that. I bet their client config is misconfigured then.