Hi Warren,
For (1), I will try to be more concrete using a variation of Microsoft's system
on mobile for public clients - but it is a bit of a long explanation. Microsoft
OAuth applications are assigned a random ID (for example, we'll use 1-2-3-4).
If they use iOS, they add a redirect_uri=micros
My guess is that for an Authorization Server that doesn't receive a
'code_challenge' and 'code_challenge_method' as part of the
authorization request, they treat the request as a non-PKCE
authorization request. Therefore when the 'code_verifier' is presented
at the /token endpoint, the AS ignor
Hello everyone,
I think RFC 7636 "Proof Key for Code Exchange by OAuth Public Clients", section
4.6. "Server Verifies code_verifier before Returning the Tokens" leaves a tiny
gap regarding the handling of verification when no code challenge was present
in the authorization request:
Upon recei
