Should Okta return an error if code_verifier is included in a non-PKCE flow?

Looking for opinions on this (submitted on behalf of another party): bug or feature request?

Scenario: We have a confidential client and we’re doing an Authorization Code Flow.

  1. The Confidential Client generates a PKCE and includes that in the request /authorize request. URL is sent to Resource Owner.

  2. An attacker or the Resource Owner deletes the bit &code_challenge_method=S256&code_challenge={code}. This downgrades the request from Auth Code Flow with PKCE to just Auth Code Flow.

  3. The Resource Owner completes the sign-in with the URL from step 1.

  4. Authorization Code is returned to the Confidential Client

  5. Confidential Client goes to request the tokens and includes the code_verifier in the API call.

Current behavior : OKTA returns the tokens.

Expected/Desired behavior: An error is returned saying that you can’t include code_verifier in a non PKCE flow.

Currently OKTA does not alert the Confidential Client that a non-PKCE flow has taken place. OKTA happily accepts the code_verifier for a non-PKCE flow in the token request which gives the confidential client false sense of security.

Example: URL for the user:

https://{okta tenant}{client_id}7&response_type=code&scope=openid%20offline_access&redirect_uri={callback URL}&state={state}

This returns the Authorization Code to the callback URL. With that code we get the tokens:

curl --location --request POST ‘https://{okta tenant}
–header ‘Content-Type: application/x-www-form-urlencoded’
–header ‘accept: application/json’ \

–data-urlencode ‘grant_type=authorization_code’
–data-urlencode 'redirect_uri={callback URL}’
–data-urlencode ‘code={Authorization code from step above}’
–data-urlencode ‘client_id={client_id}’
–data-urlencode ‘client_secret={client_secret}’
–data-urlencode ‘code_verifier={code verifier for the PKCE you wanted to use}’
–data-urlencode ‘scope=openid offline_access’

This returns the tokens. I would expect that there is an error returned since the Confidential Client expects this to be a PKCE flow.

Yes a request with a code_verifier should be rejected if the authorization code was created in response to a request without a code_challenge.

This was discussed on the OAuth mailing list and some blog posts a little while ago:

It’s also worth noting this has been made explicit in OAuth 2.1: draft-ietf-oauth-v2-1-04