I’m working on a browser extension that allows one-click addition of specific observation field values. I’ve got it working locally using the resource owner password credentials authentication flow to get a token for the API. I don’t want to use that in the production version because the code includes my personal iNat login info. I am trying to replace it with the PKCE flow, and I think I have the request generated correctly but it is rejecting my request. I have also been able to authenticate using the Authorization code flow in R, but that requires my app secret and I don’t want to include that in the extension either. Can someone take a look at what I’m doing and help me figure out why the PKCE request is being rejected?
The code I am using in this aspect should all be available here: https://github.com/Megachile/authtest
Note that to test it, you will need to load any page that begins with the URL https://www.inaturalist.org/observations/identify This will prompt the extension to open the page where it gets the code it uses in the authentication step. The majority of the relevant code runs in background.js so be sure to check the background (service worker) console output to see what is happening.