Connect to an api that uses a hashed challenge and verifier (PKCE) as part of the oauth2.0 flow?

Question

It seems I have no place to force FME to include the code_verifier parameter in the request body to obtain a token (see requirements below). Any ideas of how to work around this in FME? The postman equivalent is selecting the grant type as "Authorization Code (with PKCE)". I can use the same challenge and verifier more than once, just need to include it in the body rather than a querystring.

Per the platform's API docs:

Parameters sent in Request Body, Form-URL Encoded. (cannot use JSON or querystring)

code=<code received in callback url>

client_id=<Application OAuth Client ID>

client_secret=<Application OAuth Client Secret>

grant_type=authorization_code

redirect_uri=<User redirect URL (from step 4)>

code_verifier=<User Generated Code Verifier>

desiree_at_safe · Accepted Answer

Hi ​@johnglick! I came across your post, and I figured a reply would (hopefully) still help you and the community.But FME actually generates these values for you! - The code verifier and code challenge -To use PKCE in FME, you just have to set the challenge method - SHA-256 or PlaintextIn most cases, thecode verifier length and state length can safely be left at their default values unless the OAuth server’s documentation specifies otherwise.Hope this helps!🙂

Connect to an api that uses a hashed challenge and verifier (PKCE) as part of the oauth2.0 flow?

1 reply

Community Stats

Community Stats

Sign up

An FME Account is required to contribute

Login to the community

An FME Account is required to contribute

Scanning file for viruses.

This file cannot be downloaded