Hey @aaronpk, can you explain this help article? It makes no sense to me. TIA support.okta.com/help/s/arti…

Oh yeah, I remember this one. I don't remember if this is still current behavior, but basically Okta is tying to prevent browsers from using anything other than the authorization code PKCE flow. It does that by detecting the Origin header which isn't sent by server apps.

It's confusing as hell, and I'm confused by the implementation -- on the token endpoint if Origin is present, you require that the authz used PKCE? That's about the only valid approach to that I can imagine.

Helps prevent devs from putting their client secrets in a web page to perform the client creds flow, yep. When AAD enabled this, we definitely got a couple support calls on that. This was how we ratcheted forward PKCE use from suggested to required as well.

yep you guessed it! misleading error message but that's exactly what was going on.

Arguably, tho, PKCE and putting a client secret into a SPA are orthogonal. It's conflating two things that work differently. Poor devs can't understand those differences. The error should be "we see you sent a client secret and an Origin header. is your client a SPA?"