https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2 says
> To prevent injection of authorization codes into the client, using > code_challenge and code_verifier is REQUIRED for clients, and authorization > servers MUST enforce their use unless both of the following criteria are > met... Suppose a client (that doesn't meet the exception criteria) omits code_challenge in an authorization request. Must the authorization server reject it? "Enforce their use" is unclear to me. It could mean "if populated, enforce that they are used correctly" (weaker) or "enforce that they are populated AND used correctly" (stronger). _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
