I am working on implementing Oidc PKCE flow. Going through the RFC 7636, I have a doubt in the details mentioned under Error Responses 4.4.1. and Compatibility in section 5.
For Error Response , it states
If the server requires Proof Key for Code Exchange (PKCE) by OAuth
public clients and the client does not send the "code_challenge" in
the request, the authorization endpoint MUST return the authorization
error response with the "error" value set to "invalid_request". The
"error_description" or the response of "error_uri" SHOULD explain the
nature of error, e.g., code challenge required.
If the server supporting PKCE does not support the requested
transformation, the authorization endpoint MUST return the
authorization error response with "error" value set to
"invalid_request". The "error_description" or the response of
"error_uri" SHOULD explain the nature of error, e.g., transform
algorithm not supported.
For Compatibility it states
Server implementations of this specification MAY accept OAuth2.0
clients that do not implement this extension. If the "code_verifier"
is not received from the client in the Authorization Request, servers
supporting backwards compatibility revert to the OAuth 2.0 [RFC6749]
protocol without this extension.
As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not
need to know if the server has implemented this specification or not
and SHOULD send the additional parameters as defined in Section 4 to
all servers.
So do we need to add checks to verify if code_verifier is present or not?
question from:
https://stackoverflow.com/questions/65944905/error-response-and-compatibility-mismatch-in-rfc-7636-pkce 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
