Closed travisty- closed 2 years ago
I'm seeing the same issue.
+1
You can workaround this by taking the generated URL, removing the PKCE params, and then using the resulting URL e.g. https://xyz.oktapreview.com/oauth2/default/v1/authorize?client_id=abc123&redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug&scope=openid&response_type=code&response_mode=query&state=abc123&nonce=def456
Thanks for the bug report. I'll try to get this fixed over the weekend, unless @travisty- or someone else (@aaronpk? 🙂) wants to submit a PR.
Fixed and deployed. Thanks for the PR @danielshoun!
When sending an authorization request, the PKCE parameters
code_challenge
andcode_challenge_method
are always included in the request, even when "Use PKCE" is unchecked.This seems to effectively force you into using PKCE, so if you generate an authorization code this way you would have to include the
code_verifier
(that you didn't have any visibility into because "Use PKCE" was unchecked) to exchange it for a token.https://github.com/nbarbettini/oidc-debugger/blob/bbd2a579b72d799e0f26c1751234d52d62035bab/OidcDebugger/Views/Home/index.js#L59-L62