Im trying to implement an oauth client for a mobile device using the PKCE flow. I created a client just for testing. When I try to get the token from the token endpoint I always end up with this error message as a response:
{"error":"access_denied","error_description":"Unauthorized"}
My initial request to login is made to this URL:
https://dev-m4d-o5x8.eu.auth0.com/authorize?response_type=code&code_challenge=BQ8HN_gme9TyBeJKKfPsh8b5nO8nujAynlFXdXWE-M8&code_challenge_method=S256&client_id=LmmnYyqkKY9yDbhuzQ2f4gpvNGGKLnsT&redirect_uri=deeplinkscheme://deeplinkexample.com&scope=offline&audience=https://myApi.com&state=AGh14GTZsdf45
from which i receive the response, after logging in:
{code: ukfRo0wbB_xA4gCy, state: AGh14GTZsdf45}
I then use this code to make an access token request:
https://dev-m4d-o5x8.eu.auth0.com/oauth/token?grant_type=authorization_code&code_verifier=VL88D.LaqeB3XVbKYU2yMoA0.8q1OMJpvVF33dt4I1BWD0ipgW7lDRrxdNhgPDLaZSf.kSoN-kKjL96HvL2_pR8wA3h7OtitMpjmXz0lEMsWD0fO9IjWGXtSIqRlb6XA&code=ukfRo0wbB_xA4gCy&client_id=LmmnYyqkKY9yDbhuzQ2f4gpvNGGKLnsT&redirect_uri=deeplinkscheme://deeplinkexample.com
In the auth0 dashboard i have created an API with the identifier https://myApi.com and I have an application with the client_id LmmnYyqkKY9yDbhuzQ2f4gpvNGGKLnsT set the Native.
I cant see what Im doing wrong, can someone help me out?
Hi @claude_hasler,
Thanks for reaching out to the Auth0 Community!
After looking closely at your /authorize and /oauth/token requests, there does not seem to be anything wrong. I have even inspected your tenant and found that your application uses the correct client ID and application type (Native).
One thing I did notice was your scope was set to offline but I believe you want offline_access to get refresh tokens.
I have tested the Authorization Code Flow with PKCE and could get it to return an access token. I also managed to reproduce your issue, only by providing an incorrect client_id or if I did not specify certain headers in the /oauth/token request.
Now, because of that, could you please clarify how you made your request to the /oauth/token endpoint?
For example, in Postman I executed the following request:
curl --location --request POST 'https://MY_DOMAIN.REGION.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=MY_CLIENT_ID' \
--data-urlencode 'code=IyU6BXCMsIuC6fECwhk4CO6knBEf6J8LXYeJjQi2rzb00' \
--data-urlencode 'code_verifier=rI_Sk2hFhS89hCw4Q69G2hxT4RWfmCIRnIhZqBnPIgbtK7jck_ewFmV.H.o22BNII-A~Lta4fZyEQnp70Rdp7Luyh17rV4lB4bQvHMM.RfSqs5LaRZiS8J36826F_mtw' \
--data-urlencode 'redirect_uri=http://localhost:3000'
Looking forward to your response.
Thanks.
thanks for the response. I was POSTing with all parameters in the query. I have now switched to the adding the parameters in the body with the ‘Content-Type: application/x-www-form-urlencoded’ header. Access token is now being received. Thank you very much. 
Is this noted anywhere that the parameters must be passed in the body as opposed the query? Or is this more of a POST convention being applied?
Hi @claude_hasler,
Thank you for your response, and I’m happy that it’s working now!
Sure, it is defined in the Add Login Using the Authorization Code Flow with PKCE and https://auth0.com/docs/api/authentication#authorization-code-flow-with-pkce45 docs.
Please don’t hesitate to reach out if you have any further questions.
Thank you!