Using Authorization Code Flow with PKCE with non-native apps

I have a requirement where I am creating an non-native client app which requires refresh token in the response. Also we don’t want to save client secret on any client machine. So I tried the flow with PKCE.

I used this document. But when I try hitting the /authorize endpoint, I get the following error:

<strong>invalid_request</strong>: You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn&#39;t find your session. Try logging in again from the application and if the problem persists please contact the administrator.

Is it possible to achieve with PKCE? Or should I use any other flow.

Any help appreciated!

1 Like

Hey there @ashna.malhotra and welcome to the Auth0 Community!

I would love to find out more about the stack you are using as we work to find out if PKCE is the right fit for your desired end result. Any additional information would be appreciated. Thanks in advance!

Hey thanks @James.Morrison for taking a look at this!

So we want an authorisation flow for 3 components: an Electron app, a CLI and on Docker. Using NodeJS to make any requests and dealing with the response.

We wanted to have a common flow for all of them. We DO NOT want to store the client secret for our Auth0 application on any client machine. And also want refresh token back so that we can make use of it in our Docker.

Tried the flow with Regular Web App which otherwise seemed to work nicely other than it requires client secret to be stored somewhere(at least in Git repository). PKCE flow seemed to not need the client secret and can also give us refresh token back, so thought if we can make it work. But faced issue mentioned in the original question.

We are stuck at this point and would be great if you can help. Thanks!

1 Like

To follow up on this front, it appears there were two main solutions that helped in you in your quest. I will share them here for public historical data. Please let us know if you have any questions in the future!

  1. /authorize endpoint needed to be called from the browser, and not by the backend. You are able to generate the /authorize URL and pass it to the browser as a redirect.
  2. The above call will return a code that needs to be exchanged for tokens. The /oauth/token endpoint used for this purpose should be called from the backend (via Node.js).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.