Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Auth with PKCE example

Started by Mike Sheen -   in API Authentication

I've been trying to get OAuth 2 with the PKCE flow going, following the documentation at https://developer.xero.com/documentation/guides/oauth2/pkce-flow/

I've not been able to get that to work, kept on getting a 400 "invalid_client" response on the step to exchange the verification code for an access token (the POST to https://identity.xero.com/connect/token).

I tried also with the code flow shown on https://developer.xero.com/documentation/guides/oauth2/auth-flow/ and eventually did get that to work, but had to deviate from the guidance.

The guidance there says to use header of:
Authorization: "Basic " + base64encode(client_id + ":" + client_secret)

But I think that's wrong. I downloaded the working sample from Github (https://github.com/XeroAPI/xero-netstandard-oauth2-starter-app-dotnet-framework) and used Fiddler to examine the POST and it does not use an Authorization header at all - and so when I modified my non-working code to not use the Authorization header and instead put the client_id and client_secret in the body it worked.

That sample project uses the Xero.NetStandard.OAuth2.Client.XeroClient so perhaps things have changed a little and the documentation hasn't kept up.

So anyway, I'm thinking the guidance around PKCE flow might also be a little out of date also - is there a working example anywhere of using PKCE?

I'm wanting to integrate into a desktop application, but I can't find any suitable examples.


Best Reply as chosen by Mike Sheen (Original Poster)
We have an example app using PKCE in desktop app. It has been built so that you can see the calls being made.

Please let us know how you get on.


Robin B (Community Manager)