PCKE not enforced

🏬Self-hosted🔍Authentication⛓️‍💥APIs❓Question🔗OIDC

I created an app with the Authentication Code flow and PCKE enabled.
Here's the summary as displayed by the wizard:

Grant Types [ Authorization Code ]
Response Types [ Code ]
Authentication Method None
Redirect URIs [ https://api.example.com/login/do ]
Post Logout URIs [ https://api.example.com/logout ]
Development Mode Disabled

Grant Types [ Authorization Code ]
Response Types [ Code ]
Authentication Method None
Redirect URIs [ https://api.example.com/login/do ]
Post Logout URIs [ https://api.example.com/logout ]
Development Mode Disabled

The problem is, I can log in and exchange the code for tokens without ever specifying

code_challenge

code_challenge

code_challenge_method

code_challenge_method

code_verifier

code_verifier

.

The only way to effectively enforce PCKE it is to include

code_verifier

code_verifier

in the token endpoint request, in which case I get

code_verifier unexpectedly provided

code_verifier unexpectedly provided

.

I'm not sure if this is relevant, but the summary screen shows the following for various Authentication Methods:
PCKE: None
CODE: Basic
JWT: Private Key JWT
POST: Post

Shouldn't Zitadel enforce PCKE parameters in the login request if the app is configured to use it?

PCKE not enforced

Similar Threads