Hello!
Authorization button doesn't work with Okta JWT token provider and `clientCredentials` flow.
Having `securitySchemes` section like:
securitySchemes:
publicApiKey:
type: apiKey
name: Authorization
in: header
myOAuth2:
type: oauth2
flows:
clientCredentials:
tokenUrl: https://my.okta.com/oauth2/default/v1/token
scopes:
api_public: access to the endpointDev portal web UI always sends `origin` header. Okta responds with `Access-Control-Allow-Origin` when creds are valid, but the response code is 401 and the body:
{
"error": "invalid_client",
"error_description": "Browser requests to the token endpoint must use Proof Key for Code Exchange."
}
because of https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-fo....
Thus, I question is it possible to change something on Apigee side to prevent sending `origin` header at least for the `clientCredentials` flow?
My point here: any server besides Okta should consider requests with `origin` header as browser requests and thus it has its right to respond with an error when it expects a call from a server.
----
This is not similar but close to https://community.apigee.com/questions/61809/dev-portal-invocation-external-oauth.html as Okta is customizable and can respond with the same header as the origin in the CORS header.
LinkedIn
Twitter
