I’m making a react electron app (at this point a simple auth demo which I plan to apply to a larger project). I’m following: Call Your API Using the Authorization Code Flow with PKCE as another thread recommended this for electron problems with auth lock. I am through to step 4. Exchange the Authorization Code for an Access Token, (IE I get my initial Auth Code but cannot get the token) making a request for a token returns {“error”:“access_denied”,“error_description”:“Unauthorized”}. My application is set as a web application, basic token endpoint authorization, and I checked the grant types include authorization code. Here is a gist with my code: gist:fa7f8e9652ee9964025d0b1a9c686433 · GitHub
ComponentDidMount checks the url, as its also the same URL as the redirect, if the access_code is present it fires off the call (that fails) to get a token.
The “Unauthorized” error here is most likely caused by the Token Endpoint Authentication Method setting on the app being set to something other than “None”.
On apps registered as Regular Web Apps in Auth0, this setting is set to “Post” by default, which means client authentication using a client secret is required to get a token.
On apps registered as Native Apps or Single-Page Apps, this setting is set to “None”.
Do note that setting Token Endpoint Authentication Method to “None” can have security implications depending on what grant types you allowed for that particular app. If you’re just doing the authorization code flow with PKCE (which is what we usually recommend), be sure to turn off the grant types that aren’t being used in the app’s Advanced settings. The “password” grant type is one that should be avoided when there is no authentication on the token endpoint.