usebruno
Authcode + PKCE No access token received from auth server
I have checked the following:
- [x] I have searched existing issues and found nothing related to my issue.
This bug is:
- [x] making Bruno unusable for me
- [ ] slowing me down but I'm able to continue working
- [ ] annoying
- [ ] this feature was working in a previous version but is broken in the current release.
Bruno version
2.9.1
Operating System
macOS Version 15.6
Describe the bug
Authcode PKCE flow is not working , in collection level as well in child request level
.bru file to reproduce the bug
use any oauth2 provider that supports PKCE
Screenshots/Live demo link
@AliVerses we need some more information to help here. We verified that the PKCE setup currently works with keycloak server.
Some questions
- Are you trying to authenticate with a public service like Github / Microsoft / Google etc ?
- Would you be open to debug this over a call ?
Hi,
I am facing the same issue with Bruno 2.11.0 with Azure AD PKCE auth (Entra ID).
Here is my token setup:
- OAuth 2.0 / Authorization code (+PKCE)
- Callback URL: https://xxxx/redirect (my existing/working SPA app URL)
- Authorization URL: https://login.microsoftonline.com/
/oauth2/v2.0/authorize - Access Token URL: https://login.microsoftonline.com/
/oauth2/v2.0/token - Client ID: my-spa-client-id (tested ok)
- Client secret: (none)
- Scope: api://my-api-scope/access openid profile offline_access
- State: (none)
- Add credentials to: Request body
In timeline, I can see this during token fetching process :
HTTP 400 on https://login.microsoftonline.com/
Thanks
@AliVerses we need some more information to help here. We verified that the PKCE setup currently works with keycloak server.
Some questions
- Are you trying to authenticate with a public service like Github / Microsoft / Google etc ?
- Would you be open to debug this over a call ? -- sure let me check.
its self hosted WSo2 service, also I checked if the clone the code and run locally it works but not the published installed version on my mac.
also I checked if the clone the code and run locally it works but not the published installed version on my mac.
This is really helpful. Thanks @alishah730 We will review and get back.
Hello !
I also get the same issue after updating from 2.9.1 to 2.11.0
No changes on client's configuration nor collection.
Impossible to get a token through the collection authentication - oauth2 - password credentials (manually or through inheritance)
The call is on a Keycloak hosted on a local server.
Access Token URL : https://01.234.56.789:8443/realms/toto/protocol/openid-connect/token
Toggling on/off the "Automatically fetch token if not found" doesn't change anything. Note that the certificate for TLS is not set, i uncheck the SSL/TLS Certificate Verification in the client's options.
I uninstalled the client and reinstalled in 2.9.1 and it worked again.
Regards
Our entire team has been facing this issue since updates after version 2.9.1. (OS: Windows - Bruno with Ultimate license) Any update after version 2.9.1, including the new update 2.12.0, makes Bruno unusable for us. Workaround for now is to stick with version 2.9.1 Please fix this issue.
Been having the same issue since oauth2 was implemented in bruno we've never been able to get the oauth2 + PCKE working in bruno with Azure Entra so we've been using our custom pre-request script but it would be nice to not have to maintain that and use the native functionality out of the box.
Any update after version 2.9.1, including the new update 2.12.0, makes Bruno unusable for us. Workaround for now is to stick with version 2.9.1
@lohit-bruno Could you check and let me know what changes since 2.9.1 has caused this ?
Updated to the latest version 2.13.0 and still having the same issue. tried add credentials to basic auth header and request body, with and without PCKE
I also tried client credentials grant type and same error.
Im on mac OS Sequoia 15.7.1
Not 100% sure this is related But I gave Bruno a try today ( v2.13.2 ) and had issues getting a token from our Keycloak instance.
I was using password credentials flow and a public client.
My first trouble was that I did not get the sidebar with the Timeline alongside the Auth in a root collection. I had to switch to a "leaf" Request to see the Timeline and be able to debug my issue.
My actual issue was that if client_secret is left empty, Bruno does not send the client_id in the Basic Auth Header at all! Had to add a random client_secret just so it sends the client_id :D (fortunately Keycloak just ignores the client_secret)
We have contacted Bruno support about this issue, but for the OAuth2.0 Authorization Code flow using EntraID, we have found the following work-around:
- Manually add the client_id parameter to the token request: i.e. in the client interface:
or in a .bru file, add these lines after the auth:oauth2 section (obviously replacing the {{your-app-id}} variable):
auth:oauth2:additional_params:access_token_req:body {
client_id: {{your-app-id}}
}
I hope this helps someone until this issue is addressed.
@hentie I tried your work around but I'm still getting the "no access token received from authorization server" error
Can you provide a larger screenshot of your settings if possible or provide what settings you are using/have enabled?
Sure, I hope the following screenshot helps:
(Please note that this is for the Authorization Code flow, when the token fetch phase shows the error mentioned after upgrading Bruno post v.2.9.1)
@hentie hmmm yeah tried similar settings to you and still no luck, its interesting that you're not passing the client secret that should be a required value...
Hi,
I am facing the same issue with Bruno 2.11.0 with Azure AD PKCE auth (Entra ID).
Here is my token setup:
- OAuth 2.0 / Authorization code (+PKCE)
- Callback URL: https://xxxx/redirect (my existing/working SPA app URL)
- Authorization URL: https://login.microsoftonline.com//oauth2/v2.0/authorize
- Access Token URL: https://login.microsoftonline.com//oauth2/v2.0/token
- Client ID: my-spa-client-id (tested ok)
- Client secret: (none)
- Scope: api://my-api-scope/access openid profile offline_access
- State: (none)
- Add credentials to: Request body
In timeline, I can see this during token fetching process : HTTP 400 on https://login.microsoftonline.com//oauth2/v2.0/token AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests It seems, the HTTP request sent to exchange code with token is rejected by AAD because some HTTP header are missing (request is not identified as an XHR one). I assume it could be the missing Origin and/or Sec-Fetch-Mode (cors) ones.
Thanks
I got it working with Entra ID and Auth Code + PKCE Flow (without a secret specified).
Two things are important / I had to do:
- The in Bruno configured Call Back URL must be registered on the Entra App Registration as SPA Redirect URI (not Web!).
- Entra ID seems to require the
originheader to be set on the Token request. I added it manually in the OAuth Config in Bruno:
After that I cloud login and got an Access Token as expected.
Would be cool when the origin heeder would be set automatically by Bruno though.
@J0F3 Fantastic find! setting the origin in the additional parameters worked for me