Bug Report: OAuth2 PKCE flow ignores client_secret in final token exchange

Questions
1

:mag: Description

I’ve identified what seems to be a bug in the OAuth2 PKCE implementation in the N8N credential system, where the client_secret is not sent in the final token exchange, even though it’s configured and required by the target API (Mercado Livre).

This leads to authentication failure during the last step of the PKCE flow.

:white_check_mark: Context

  • N8N version: 1.86.0
  • OAuth Grant Type selected: PKCE
  • Authentication method: Body
  • Authorization URL: https://auth.mercadolivre.com.br/authorization
  • Access Token URL: https://api.mercadolibre.com/oauth/token
  • Redirect URI: https://<my-domain>/rest/oauth2-credential/callback
  • client_id, client_secret, and other fields were filled in as expected

:warning: Expected behavior

After the user is redirected back with the code parameter, N8N should send a POST request to the token endpoint with the following body (application/x-www-form-urlencoded):

text

CopyEdit

grant_type=authorization_code
client_id=***
client_secret=***
code=***
redirect_uri=***
code_verifier=***

But…

:x: Actual behavior

  • N8N generates the code_verifier and code_challenge correctly
  • It successfully builds the authorization URL and redirects the user to login
  • Upon receiving the callback, it fails with this response:

json

CopyEdit

{
  "error": "invalid_request",
  "message": "the following parameters are required: grant_type, client_id, client_secret, code, redirect_uri. Missing parameters: client_id, client_secret"
}

After inspecting the developer console and network tab, it was confirmed that:

  • code_verifier is sent :white_check_mark:
  • client_id and client_secret are not sent at all :x:
  • Even though they are configured, client_secret is replaced by __n8n_BLANK_VALUE_xxx in the internal callback URL

:microscope: Manual test (confirmation)

To isolate the issue, I manually performed the PKCE flow using the exact same:

  • code_verifier
  • code_challenge
  • Authorization URL
  • Redirect URI
  • Token URL

Using cURL and Postman/Apidog, when all fields are sent manually — including client_secretauthentication succeeds perfectly.

This confirms that the issue is on the N8N side and not with the target API.

:pushpin: Additional Notes

The API in question requires client_secret even in PKCE mode — which is valid per OAuth2 RFC 6749 §4.1.3.

:white_check_mark: How to reproduce

  1. Create an OAuth2 credential in N8N using PKCE grant type
  2. Fill in all required fields, including client_id and client_secret
  3. Use a service that requires client_secret even in PKCE mode (e.g. Mercado Livre)
  4. Try to authenticate
  5. You’ll see an error message:

Missing parameters: client_id, client_secret

:bulb: Possible workaround

Manually performing the authorization flow and using Header Auth in N8N with the token obtained outside of N8N is the only workaround for now.

:pray: Request

Please consider updating the PKCE implementation to allow inclusion of client_secret in the final token request, for APIs that require it. Alternatively, allow manual override of token exchange payload when using PKCE.

Let me know if you need reproducible credentials with a public API.

2

hello @Ricardo_Cardoso

Better to create a bug report on the github

1 Like
3

Ok, tks! I will to create

4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.