I believe that the quoted line below is important:
> On 7 Nov 2025, at 10:42, Frederik Krogsdal Jacobsen
> <[email protected]> wrote:
>
> PKCE by itself does not fix this problem, but intentionally using PKCE
> without a verifier is one way to revoke a code without getting a token that
> you could accidentally use.
It seems very logical that a client implementation that needs to exchange an
authorization code would need a PKCE verifier. It is trying to look it up, but
due to this being a malicious or tampered with flow, that lookup is likely to
fail (i.e, no PKCE verifier available). If I would write this code, I would not
call the AS knowing up front that this request is going to fail. So based on
this discussion, it really seems that we should make this a guideline for
implementing PKCE on the client.
Philippe
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
