Hello experts. I’ve set up a mobile application using authorizationcode flow with PKCE. When I manually walk through the flow using the instructions at Authorization Code Flow with Proof Key for Code Exchange (PKCE), everything works as expected. I query the auth URL with the response_code, code_challenge, code_challenge_method, client_id, redirect_uri, scope, audience, and state.
After authentication I get redirected to my callback URL with the code parameter, which I POST to the token URL along grant_type=authorization_code, the client_id, code_verifier, and redirect_uri. That JSON response gives me my access_token, id_token, and refresh_token.
However, when using the Swagger UI (generated by my python API’s FastAPI library), it seems that the first request to the authorize endpoint is missing the code_challenge, code_challenge_methodm and audience parameters (also the additional oidc scopes I’d like). Swagger then queries the token endpoint without the code_verifier, and the response is a terse little JSON blob with with a short access_token instead of a JWT.
And with Postman there’s an explicit setting for PKCE, but the first request doesn’t include the audience, and I end up with a similar kind of response from the token exchange.
What am I missing here? Are Swagger and Postman woefully underequipped to deal with PKCE, or did I configure them wrong somehow?