diff --git a/src/Identity.API/Configuration/Config.cs b/src/Identity.API/Configuration/Config.cs
index a3afecab0..5367dd1c7 100644
--- a/src/Identity.API/Configuration/Config.cs
+++ b/src/Identity.API/Configuration/Config.cs
@@ -157,9 +157,13 @@ public static IEnumerable<Client> GetClients(IConfiguration configuration)
                 {
                     ClientId = "orderingswaggerui",
                     ClientName = "Ordering Swagger UI",
-                    AllowedGrantTypes = GrantTypes.Implicit,
+                    ClientSecrets = new List<Secret>()
+                    {
+                        new Secret("secret".Sha256())
+                    },
+                    AllowedGrantTypes = GrantTypes.Code,
                     AllowAccessTokensViaBrowser = true,
-
+                    
                     RedirectUris = { $"{configuration["OrderingApiClient"]}/swagger/oauth2-redirect.html" },
                     PostLogoutRedirectUris = { $"{configuration["OrderingApiClient"]}/swagger/" },
 
@@ -172,7 +176,11 @@ public static IEnumerable<Client> GetClients(IConfiguration configuration)
                 {
                     ClientId = "webhooksswaggerui",
                     ClientName = "WebHooks Service Swagger UI",
-                    AllowedGrantTypes = GrantTypes.Implicit,
+                    ClientSecrets = new List<Secret>()
+                    {
+                        new Secret("secret".Sha256())
+                    },
+                    AllowedGrantTypes = GrantTypes.Code,
                     AllowAccessTokensViaBrowser = true,
 
                     RedirectUris = { $"{configuration["WebhooksApiClient"]}/swagger/oauth2-redirect.html" },
diff --git a/src/Identity.API/Program.cs b/src/Identity.API/Program.cs
index 31f101fc8..01a912880 100644
--- a/src/Identity.API/Program.cs
+++ b/src/Identity.API/Program.cs
@@ -36,8 +36,18 @@
 builder.Services.AddTransient<ILoginService<ApplicationUser>, EFLoginService>();
 builder.Services.AddTransient<IRedirectService, RedirectService>();
 
-var app = builder.Build();
+builder.Services.AddCors(options =>
+{
+    options.AddPolicy("Default",
+        policyBuilder => policyBuilder.AllowAnyOrigin()
+            .AllowAnyMethod()
+            .AllowAnyHeader());
+});
+// Not recommended for production - you need to configure CORS to match your requirements
+// See https://docs.asp.net/en/latest/security/cors.html#how-to-enable-cors
 
+var app = builder.Build();
+app.UseCors("Default");
 app.MapDefaultEndpoints();
 
 app.UseStaticFiles();
diff --git a/src/Ordering.API/appsettings.json b/src/Ordering.API/appsettings.json
index 2cd15de60..be8a0c850 100644
--- a/src/Ordering.API/appsettings.json
+++ b/src/Ordering.API/appsettings.json
@@ -17,6 +17,7 @@
     },
     "Auth": {
       "ClientId": "orderingswaggerui",
+      "ClientSecret" : "secret",
       "AppName": "Ordering Swagger UI"
     }
   },
diff --git a/src/Webhooks.API/appsettings.json b/src/Webhooks.API/appsettings.json
index 22bcb52be..81338ae33 100644
--- a/src/Webhooks.API/appsettings.json
+++ b/src/Webhooks.API/appsettings.json
@@ -17,6 +17,7 @@
     },
     "Auth": {
       "ClientId": "webhooksswaggerui",
+      "ClientSecret": "secret",
       "AppName": "WebHooks Service Swagger UI"
     }
   },
diff --git a/src/eShop.ServiceDefaults/OpenApi.Extensions.cs b/src/eShop.ServiceDefaults/OpenApi.Extensions.cs
index 2f8914d6c..8b0a5be16 100644
--- a/src/eShop.ServiceDefaults/OpenApi.Extensions.cs
+++ b/src/eShop.ServiceDefaults/OpenApi.Extensions.cs
@@ -4,6 +4,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.OpenApi.Any;
 using Microsoft.OpenApi.Models;
 using Swashbuckle.AspNetCore.SwaggerGen;
 
@@ -47,7 +48,9 @@ public static IApplicationBuilder UseDefaultOpenApi(this WebApplication app)
             if (authSection.Exists())
             {
                 setup.OAuthClientId(authSection.GetRequiredValue("ClientId"));
+                setup.OAuthClientSecret(authSection.GetRequiredValue("ClientSecret"));
                 setup.OAuthAppName(authSection.GetRequiredValue("AppName"));
+                setup.OAuthUsePkce();
             }
         });
 
@@ -116,14 +119,13 @@ public static IHostApplicationBuilder AddDefaultOpenApi(this IHostApplicationBui
             options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
             {
                 Type = SecuritySchemeType.OAuth2,
-                Flows = new OpenApiOAuthFlows()
+                Flows = new OpenApiOAuthFlows
                 {
-                    // TODO: Change this to use Authorization Code flow with PKCE
-                    Implicit = new OpenApiOAuthFlow()
+                    AuthorizationCode = new OpenApiOAuthFlow
                     {
                         AuthorizationUrl = new Uri($"{identityUrlExternal}/connect/authorize"),
                         TokenUrl = new Uri($"{identityUrlExternal}/connect/token"),
-                        Scopes = scopes,
+                        Scopes = scopes
                     }
                 }
             });