As per PKCE spec, OAuth provider uses code_verifier to avoid the man in the middle attack. My understanding that, it is the best alternative for JavaScript based single page application (SPA) to exchange OAuth code for token.
When I experiment this with Google API, it says "client_secret is missing".
Here is the HTTP Request and Response.
ID: 1 Address: https://oauth2.googleapis.com/token Http-Method: POST Content-Type: application/x-www-form-urlencoded Headers: {Content-Type=[application/x-www-form-urlencoded], Accept=[/]} Payload: grant_type=authorization_code&code=4%2F1AH3Ubnm550IoT8AZ_e_eqLYDn3-JyXVo22LOcAlsWPnxTV_o0tV2N1YMNFtqhvFm65n4tuZmHfK5tkKLOsbnRw&scope=openid+profile+email&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fdemo&client_id=myclientid.apps.googleusercontent.com&code_verifier=iv8n89-Dh3QD1uroYm6e6jcpZwxff60m-RYYlmLYArun6KF8o0z%7Ee3EjyVyYUp.4XxSbyI47QQSCMrY542sLWSUnxAG8e0a%7ETjmF_UFioJMA_ctB2jz6qbcYtu9uUOKp
ID: 1 Response-Code: 400 Encoding: UTF-8 Content-Type: application/json; charset=utf-8 Headers: {Accept-Ranges=[none], Alt-Svc=[h3-28=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"], Cache-Control=[private], content-type=[application/json; charset=utf-8], Date=[Mon, 22 Jun 2020 04:41:53 GMT], Server=[scaffolding on HTTPServer2], transfer-encoding=[chunked], Vary=[Origin,Accept-Encoding, Referer, X-Origin], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN], X-XSS-Protection=[0]} Payload: { "error": "invalid_request", "error_description": "client_secret is missing." }
Is my understanding that "we don't need client_secret when passing code_verifier" wrong or Google is not supporting PKCE or Do I miss some other parameter in the request? Please help.