Attackers can downgrade PKCE protection without the server noticing. The server should disallow authorization code exchanges where a code_verifier is presented, if there was no code_challenge present in the authorization request.
This test is part of the following document(s):
Back to the test case overview or the threat overview