Hi!
I know this question has been asked before but in those cases the comments are now closed and I would like to add some additional input.
I have been asked to create a zapier app to integrate with out API and have hit a road block at the aurthentication stage. Our token server enforces PKCE along with client id/secret. I’ve seen replies on here suggesting that PKCE is used as a replacement for client secrets but that’s not the case here (and seems a fairly common scenario).
From https://oauth.net/2/pkce/
PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.
I’d rather not go down the route of disabling these checks in our IDP if possible so any suggestions on a way forwards would be helpful.
Many thanks!