Hello!
Authorization button doesn’t work with Okta JWT token provider and clientCredentials flow.
Having securitySchemes section like:
securitySchemes:
publicApiKey:
type: apiKey
name: Authorization
in: header
myOAuth2:
type: oauth2
flows:
clientCredentials:
tokenUrl: [https://my.okta.com/oauth2/default/v1/token](https://my.okta.com/oauth2/default/v1/token)
scopes:
api_public: access to the endpoint
Dev portal web UI always sends origin header. Okta responds with Access-Control-Allow-Origin when creds are valid, but the response code is 401 and the body:
{
"error": "invalid_client",
"error_description": "Browser requests to the token endpoint must use Proof Key for Code Exchange."
}
Thus, I question is it possible to change something on Apigee side to prevent sending origin header at least for the clientCredentials flow?
My point here: any server besides Okta should consider requests with origin header as browser requests and thus it has its right to respond with an error when it expects a call from a server.
This is not similar but close to https://community.apigee.com/questions/61809/dev-portal-invocation-external-oauth.html as Okta is customizable and can respond with the same header as the origin in the CORS header.