You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
With the latest changes to remove support for the "plain" PKCE code challenge method, a /token request using PKCE with no code_challenge_method provided in the original /authorize request results in a response with a 400 status code and a response body of "{error: server_error}". The authorization code grant workflow should not be allowed to get to this point, since an authorization request containing a code_challenge and no code_challenge_method should be treated as an attempt to use "plain" PKCE. Also, the combination of a 400 status code and a "server_error" message on the /token response is mismatched/misleading.
To Reproduce
Submit an authorization code request that includes a code_challenge, but no code_challenge_method (note ability to proceed with workflow and obtain an authorization code)
Submit a /token request with the resulting authorization code and a valid code_verifier
Expected behavior
According to the PKCE RFC,
code_challenge_method
OPTIONAL, defaults to "plain" if not present in the request. Code
verifier transformation method is "S256" or "plain".
Since the /authorize endpoint now validates the code_challenge_method and responds with an error for a code_challenge_method of "plain", the same should occur when a code_challenge is included in the /authorize request without a code_challenge_method.
The text was updated successfully, but these errors were encountered:
Describe the bug
With the latest changes to remove support for the "plain" PKCE code challenge method, a
/token
request using PKCE with no code_challenge_method provided in the original/authorize
request results in a response with a 400 status code and a response body of "{error: server_error}". The authorization code grant workflow should not be allowed to get to this point, since an authorization request containing a code_challenge and no code_challenge_method should be treated as an attempt to use "plain" PKCE. Also, the combination of a 400 status code and a "server_error" message on the/token
response is mismatched/misleading.To Reproduce
/token
request with the resulting authorization code and a valid code_verifierExpected behavior
According to the PKCE RFC,
Since the
/authorize
endpoint now validates the code_challenge_method and responds with an error for a code_challenge_method of "plain", the same should occur when a code_challenge is included in the/authorize
request without a code_challenge_method.The text was updated successfully, but these errors were encountered: