I’m almost successful in getting the PKCE Auth Flow to work - I can do everything including the code exchange.
The problem is that I have no “email” or “email_verified” in my access token, even though I asked for it with scope=email profile.
Any idea what might be doing wrong? Is there some configuration I need to do to allow APIs to have access to the user info?
Based solely on the information you provided (aka without actually trying it for myself) I would say that the likely cause of the situation is that you’re not including the openid scope.
Both the email and profile scopes are associated with OpenID Connect (OIDC) specification and signal that you want to have access to associated user information. However, a request that wants to have OIDC behavior should signal that by including the openid scope, otherwise, the exact response behavior is unspecified.
You should try using scope=openid email profile.
I just saw that your answer - thank you very much! That indeed was the problem!
I just saw that your answer - thank you very much! That indeed was the problem!