Throw invalid_grant when invalid token request with PKCE #581
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
authorization_code
in a token request with a PKCE code_verifier, throwinvalid_grant
, as per RFC 6749. It is consistent with behavior inOAuth2AuthorizationCodeAuthenticationProvider#authenticate
code_verifier
, throwinvalid_grant
, as per RFC7636.There is an additional corner-case in
OAuth2ClientAuthenticationProvider#authenticatePkceIfAvailable
, when there is nocode_challenge
in the authorization request and the client requires PKCE.will throw an
invalid_request`.I am unsure what we should throw in this case, I put
invalid_grant
for consistency, feel free to change it.