Is PKCE downgrade detected (authorization request)

Attackers can downgrade PKCE protection without the server noticing. The server should disallow authorization code exchanges where a code_verifier is presented, if there was no code_challenge present in the authorization request.

View source code on GitHub


This test is part of the following document(s):

Back to the test case overview or the threat overview