Oidcdebugger & PKCE code verifier is required when the token endpoint authentication method is 'NONE'

I have been using the oidcdebugger for the last several weeks, successfully getting a code which I can then exchange for a token. But something seems to have changed.

I noticed that the state parameter used to be blank but now is filled with some random text. I don’t think that has anything to do with my problem, just an observation that it seems to have changed.

But when I use the code to get the token I get:
PKCE code verifier is required when the token endpoint authentication method is 'NONE'

I have seen in other posts that fixing this is just removing the code_challenge from the request to get the code. I can do that by taking the http request that oidcdebugger generates, removing the code_challenge and code_challenge_method and submitting the request in a browser but it seems that some of the convenience of the very convenient oidcdebugger has disappeared.

Does anyone know if there is a way to have the tool not automatically generate the code_challenge and if I am missing something?

Hi @prothery looks like the same issue has been reported to this open source tool - PKCE parameters are always sent, even when "Use PKCE" is unchecked · Issue #76 · nbarbettini/oidc-debugger · GitHub.

Thank you, I appreciate the update and I will watch the github link

Paul

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.