
Auth with PKCE example
I've been trying to get OAuth 2 with the PKCE flow going, following the documentation at https://developer.xero.com/documentation/guides/oauth2/pkce-flow/
I've not been able to get that to work, kept on getting a 400 "invalid_client" response on the step to exchange the verification code for an access token (the POST to https://identity.xero.com/connect/token).
I tried also with the code flow shown on https://developer.xero.com/documentation/guides/oauth2/auth-flow/ and eventually did get that to work, but had to deviate from the guidance.
The guidance there says to use header of:
Authorization: "Basic " + base64encode(client_id + ":" + client_secret)
But I think that's wrong. I downloaded the working sample from Github (https://github.com/XeroAPI/xero-netstandard-oauth2-starter-app-dotnet-framework) and used Fiddler to examine the POST and it does not use an Authorization header at all - and so when I modified my non-working code to not use the Authorization header and instead put the client_id and client_secret in the body it worked.
That sample project uses the Xero.NetStandard.OAuth2.Client.XeroClient so perhaps things have changed a little and the documentation hasn't kept up.
So anyway, I'm thinking the guidance around PKCE flow might also be a little out of date also - is there a working example anywhere of using PKCE?
I'm wanting to integrate into a desktop application, but I can't find any suitable examples.
Thanks!
I've not been able to get that to work, kept on getting a 400 "invalid_client" response on the step to exchange the verification code for an access token (the POST to https://identity.xero.com/connect/token).
I tried also with the code flow shown on https://developer.xero.com/documentation/guides/oauth2/auth-flow/ and eventually did get that to work, but had to deviate from the guidance.
The guidance there says to use header of:
Authorization: "Basic " + base64encode(client_id + ":" + client_secret)
But I think that's wrong. I downloaded the working sample from Github (https://github.com/XeroAPI/xero-netstandard-oauth2-starter-app-dotnet-framework) and used Fiddler to examine the POST and it does not use an Authorization header at all - and so when I modified my non-working code to not use the Authorization header and instead put the client_id and client_secret in the body it worked.
That sample project uses the Xero.NetStandard.OAuth2.Client.XeroClient so perhaps things have changed a little and the documentation hasn't kept up.
So anyway, I'm thinking the guidance around PKCE flow might also be a little out of date also - is there a working example anywhere of using PKCE?
I'm wanting to integrate into a desktop application, but I can't find any suitable examples.
Thanks!
2
Replies

Best Reply as chosen by Mike Sheen (Original Poster)
We have an example app using PKCE in desktop app. It has been built so that you can see the calls being made.
https://github.com/XeroAPI/net-desktop-pkce-example
Please let us know how you get on.
Robin
https://github.com/XeroAPI/net-desktop-pkce-example
Please let us know how you get on.
Robin