I’m setting up an OAuth2 application for my Gitea Organization and I’d like to use the Proof Key for Code Exchange (PKCE) grant.
There’s a great example in the docs (OAuth2 provider - Docs), however it explicitly says:
Note: This example does not use PKCE.
I was wondering if anyone can point me to a working example? The Authorization Endpoint seems to be working fine, but when I POST to the Access Token Endpoint it throws:
Only refresh_token or authorization_code grant type is supported
which is weird because I have grant_type=authorization_code
in my request.
Any nudge in the right direction is appreciated, thank you!
I had exactly the same issue.
This is my body and it says only authorization_code is supported 
{"$type":"TGiteaAccessTokenRequestBody",
"client_id":"e12-----a465-81381b0340e7",
"client_secret":"gto_akcd----57nzvmuhmpe3zkgxjufh5va",
"code":"gta_niew------44cnrgatbr7aqda",
"grant_type":"authorization_code ",
"redirect_url":"-----"}
Inspecting the code in another tool notice the trailing space. I copied the example… removing the space behind authorization_code makes it work fine!
Thanks for the response @holgerflick!
I’m confused why you’re passing the client_secret
though, is that necessary?
From OpenId Connect Auth Code Flow + PKCE - OneLogin API
The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret.