PKCE token request with no code_challenge_method results in 400 with "server_error"

[mikesaurus]

Describe the bug
With the latest changes to remove support for the "plain" PKCE code challenge method, a /token request using PKCE with no code_challenge_method provided in the original /authorize request results in a response with a 400 status code and a response body of "{error: server_error}". The authorization code grant workflow should not be allowed to get to this point, since an authorization request containing a code_challenge and no code_challenge_method should be treated as an attempt to use "plain" PKCE. Also, the combination of a 400 status code and a "server_error" message on the /token response is mismatched/misleading.

To Reproduce

1. Submit an authorization code request that includes a code_challenge, but no code_challenge_method (note ability to proceed with workflow and obtain an authorization code)
2. Submit a /token request with the resulting authorization code and a valid code_verifier

Expected behavior
According to the PKCE RFC,

code_challenge_method
OPTIONAL, defaults to "plain" if not present in the request. Code
verifier transformation method is "S256" or "plain".

Since the /authorize endpoint now validates the code_challenge_method and responds with an error for a code_challenge_method of "plain", the same should occur when a code_challenge is included in the /authorize request without a code_challenge_method.

[mikesaurus]

There are essentially two issues here.

1. Missing validation on the original authorization request to prevent a code_challenge from being submitted without a code_challenge_method. This check here -> https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java#L212 could be changed to simply if (!StringUtils.hasText(codeChallengeMethod) || !"S256".equals(codeChallengeMethod)).
2. Mismatched status code and error message on the /token request. It seems unlikely that we would get here with an invalid code challenge method -> https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java#L127, but if the code challenge method is not "S256" then it seems that the error should be a 400:"invalid_grant" as with any other invalid client provided PKCE values.

[jgrandja]

Thanks for the details @mikesaurus ! We'll have a fix for this shortly.