Problem

When a remote application tries to obtain an access token using PKCE workflow Jira blocks the request expecting a client secret. While the whole purpose of "Proof Key for Code Exchange" is to not use stored secrets.

Environment

• Jira 9.15.2

Steps to Reproduce

• Create an incoming application link on Jira
• Generate a code verifier and a code challenge for the remote application
• Consent on the link , GET https://JIRA-HOST/jira/plugins/servlet/oauth2/consent?client_id=V1&redirect_uri=V2&response_type=code&scope=V3&code_challenge_method=S256&code_challenge=V4
• Copy the code from the redirection URL from the previous step , copy the code verifier from the second step
• Send a POST request to : https://JIRA-HOST/jira/rest/oauth2/latest/token?client_id=V1&code=V2&grant_type=authorization_code&redirect_uri=V3&code_verifier=V4

Expected Results

Jira will return an access token to be used by the remote application with response code 200

{
    "scope": "SYSTEM_ADMIN",
    "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImY2MTViMTdiNDVjMzMxMDU2MTBmMmMwZjQ0N2MwM2E5In0.geCLYxFBbJOOuQa1Z3wpLWl4w-M49l6b76aAKm_6Kzg",
    "token_type": "bearer",
    "expires_in": 3600,
    "refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImIzYjlmODg0N2M2ODdhYjcwMzRkZmUzYWYxODUzZWI1In0.mFoOTFD1OIhFt7u9i5Ge2AP9fG_8DmGmuyleGkftUrQ"
}

Actual Results

Jira returns 401 asking for client_secret 

Workaround

Following Setting properties and options on startup add the value

-Datlassian.oauth2.provider.validate.client.secret=false

Notes

• Using the mentioned workarround will stop Jira from verifying all the stored client_secrets , this might have a global security impact so be sure to use the workarround only if all remote apps should work only with the less secure PKCE method