Add method on AuthCodeGrant to disable plain verifier.

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server

https://oauth2.thephpleague.com

MIT License

6.52k stars 1.12k forks source link

Add method on AuthCodeGrant to disable plain verifier. #1208

Closed gbalcewicz closed 3 years ago

gbalcewicz commented 3 years ago

It would be nice to remove plain verifier from codeChallengeVerifiers in AuthCodeGrant, for example disablePlainCodeChallengeMethod()

Sephster commented 3 years ago

The choice of verifier should be at the discretion of the client rather than the server. Unless security advice changes for the OAuth 2 spec with regards to this verifier, I think it would be best to leave as is to remain spec compliant.