Closed gbalcewicz closed 3 years ago
The choice of verifier should be at the discretion of the client rather than the server. Unless security advice changes for the OAuth 2 spec with regards to this verifier, I think it would be best to leave as is to remain spec compliant.
It would be nice to remove plain verifier from codeChallengeVerifiers in AuthCodeGrant, for example
disablePlainCodeChallengeMethod()