PKCE support is not enough

[ay4toh5i]

Preflight Checklist

• I could not find a solution in the existing issues, docs, nor discussions
• I have joined the ZITADEL chat

Describe your problem

Thanks such a nice library!

I notice that pkce is verified only when the auth method is none in code exchenge.

oidc/pkg/op/token_code.go

Lines 96 to 103 in d58ab6a

	if client.AuthMethod() == oidc.AuthMethodNone {
	request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
	if err != nil {
	return nil, nil, err
	}
	err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
	return request, client, err
	}

However, pkce should be verified in other methods to mitigate vulnerabilities as decribed below.

PKCE is not a form of client authentication, and PKCE is not a replacement for a client secret or other client authentication. PKCE is recommended even if a client is using a client secret or other form of client authentication like private_key_jwt.

https://oauth.net/2/pkce/

Describe your ideal solution

If pkce params requested in authorize, verifying that as possible is ideal.

Version

No response

Environment

Self-hosted

Additional Context

No response

[muhlemmer]

Although I agree with the recommendation, oauth.net is not a definitive resource for the standard, which is described in RFCs. What you describe is Oauth V2.1 I believe. We already have an issue open for that: #254. You can vote there with a thumbs up and we can assign priorities based on that.

At the moment we are compliant with Oauth V2. Closing as duplicate.