We are not able to get the PKCE authentication flow to work.
Self-hosted GitLab on Ubuntu Jammy
GitLab version 17.3.2-ee.0
Application is tagged as both “Trusted” and “Confidential”, and all scopes are enabled.
(This app is for our internal use, and the application ID and secret are embedded in a server-side middleware)
We have successfully implemented the flow without PKCE, as described here:
Our app already has working OAuth PKCE flows against both Microsoft and Salesforce, so the methods of code_challenge computation are verified against those systems, with the same method of S256.
We modified the flow to support PKCE, as described here:
When we use /oauth/token with code_verifier=CODE_VERIFIER we get error:
invalid_client | Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method
When we use /oauth/token with client_secret=APP_SECRET AND code_verifier=CODE_VERIFIER we get error:
invalid_grant | The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
(Note that the documentation does not say to include client_secret=APP_SECRET , but we tried it as well)
As we have a working flow without PKCE, we will continue without it!
But at some point PKCE will be mandatory, so this does need to be resolved.
Thank you!