About Zapier Community
New to our Community? Get to know more about our space and how to make the most of your time here.

Code of Conduct Community FAQ's Zapier Common Questions What to Expect

Get Started With Zapier
New to Zapier? We have got you covered with our Zapier 101 Resources.

Zapier Essentials

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Zapier Products
Learn more about Zapier's new products.

Zapier Tables Zapier Interfaces

Zapier Reading
All of our best learning resources can be found here.

Featured Articles Show & Tell AI Hub Zapier Tools Hub

Learning Groups
Excited to meet other builders? Check out our interest areas full of doers, dreamers, and in-betweeners.

User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Question

OAuth2 flow with client secret and PKCE

  • 14 July 2022
  • 1 reply
  • 176 views
M

Hi!

I know this question has been asked before but in those cases the comments are now closed and I would like to add some additional input.

 

I have been asked to create a zapier app to integrate with out API and have hit a road block at the aurthentication stage.  Our token server enforces PKCE along with client id/secret. I’ve seen replies on here suggesting that PKCE is used as a replacement for client secrets but that’s not the case here (and seems a fairly common scenario).

 

From https://oauth.net/2/pkce/

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.

 

I’d rather not go down the route of disabling these checks in our IDP if possible so any suggestions on a way forwards would be helpful.

 

Many thanks!

 

This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

1 reply

M
Userlevel 4
Badge +9

Hey @Matt Channer 👋

As mentioned in this thread you’ve likely already seen -

 

Zapier doesn’t support OAuth2 with PKCE by default at the moment but you could try build your app with the CLI (command line interface) for more functionality in configuring the authentication. 
 
CLI: https://github.com/zapier/zapier-platform/blob/master/packages/cli/README.md#custom 


If you’ve started your app in the Visual Builder, you can export your app to the CLI: https://platform.zapier.com/docs/export 

I did confirm that the Zapier team has discussed updating the OAuth 2 implementation to support PKCE but there’s no definitive timeline on that work at the moment. 

If anyone else reading has had success implementing the code challenge and code verifier in their app, please do chime in with your experiences! 

Terms & Conditions