From a56d4dca3633d040bc9e13aaf9aab298ee651d24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Art=C5=ABrs=20J=C4=81nis=20P=C4=93tersons?=
 <arturs.j.petersons@testdevlab.com>
Date: Tue, 16 Mar 2021 10:10:41 +0200
Subject: [PATCH] Check PCKE only for Authorization code flow

---
 server/server.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/server/server.go b/server/server.go
index 4e1215f..6854a4f 100755
--- a/server/server.go
+++ b/server/server.go
@@ -311,11 +311,6 @@ func (s *Server) ValidationTokenRequest(r *http.Request) (oauth2.GrantType, *oau
 		return "", nil, errors.ErrUnsupportedGrantType
 	}
 
-	codeVer := r.FormValue("code_verifier")
-	if s.Config.ForcePKCE && codeVer == "" {
-		return "", nil, errors.ErrInvalidRequest
-	}
-
 	clientID, clientSecret, err := s.ClientInfoHandler(r)
 	if err != nil {
 		return "", nil, err
@@ -335,7 +330,10 @@ func (s *Server) ValidationTokenRequest(r *http.Request) (oauth2.GrantType, *oau
 			tgr.Code == "" {
 			return "", nil, errors.ErrInvalidRequest
 		}
-		tgr.CodeVerifier = codeVer
+		tgr.CodeVerifier = r.FormValue("code_verifier")
+		if s.Config.ForcePKCE && tgr.CodeVerifier == "" {
+			return "", nil, errors.ErrInvalidRequest
+		}
 	case oauth2.PasswordCredentials:
 		tgr.Scope = r.FormValue("scope")
 		username, password := r.FormValue("username"), r.FormValue("password")