PKCE parameters are always sent, even when "Use PKCE" is unchecked

[travisty-]

When sending an authorization request, the PKCE parameters code_challenge and code_challenge_method are always included in the request, even when "Use PKCE" is unchecked.

This seems to effectively force you into using PKCE, so if you generate an authorization code this way you would have to include the code_verifier (that you didn't have any visibility into because "Use PKCE" was unchecked) to exchange it for a token.

https://github.com/nbarbettini/oidc-debugger/blob/bbd2a579b72d799e0f26c1751234d52d62035bab/OidcDebugger/Views/Home/index.js#L59-L62

[tonygfang]

I'm seeing the same issue.

[sigama-okta]

+1

[tonygfang]

You can workaround this by taking the generated URL, removing the PKCE params, and then using the resulting URL e.g. https://xyz.oktapreview.com/oauth2/default/v1/authorize?client_id=abc123&redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug&scope=openid&response_type=code&response_mode=query&state=abc123&nonce=def456

[nbarbettini]

Thanks for the bug report. I'll try to get this fixed over the weekend, unless @travisty- or someone else (@aaronpk? 🙂) wants to submit a PR.

[nbarbettini]

Fixed and deployed. Thanks for the PR @danielshoun!