I’m setting up an OAuth2 application for my Gitea Organization and I’d like to use the Proof Key for Code Exchange (PKCE) grant.
There’s a great example in the docs (https://docs.gitea.io/en-us/development/oauth2-provider/), however it explicitly says:
Note: This example does not use PKCE.
I was wondering if anyone can point me to a working example? The Authorization Endpoint seems to be working fine, but when I POST to the Access Token Endpoint it throws:
Only refresh_token or authorization_code grant type is supported
which is weird because I have grant_type=authorization_code in my request.
Any nudge in the right direction is appreciated, thank you!
I had exactly the same issue.
This is my body and it says only authorization_code is supported 
{"$type":"TGiteaAccessTokenRequestBody",
"client_id":"e12-----a465-81381b0340e7",
"client_secret":"gto_akcd----57nzvmuhmpe3zkgxjufh5va",
"code":"gta_niew------44cnrgatbr7aqda",
"grant_type":"authorization_code ",
"redirect_url":"-----"}
Inspecting the code in another tool notice the trailing space. I copied the example… removing the space behind authorization_code makes it work fine!
Thanks for the response @holgerflick!
I’m confused why you’re passing the client_secret though, is that necessary?
From OpenId Connect Auth Code Flow + PKCE - OneLogin API
The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret.
My colleague found that setting “Content-Type” to “application/x-www-form-urlencoded” fixed the vague grant type error we were experiencing. Hope that helps someone!