RFC 7636, "Proof Key for Code Exchange by OAuth Public Clients", September 2015

Errata ID: 5687
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Collin Sauve
Date Reported: 2019-04-09
Verifier Name: Benjamin Kaduk
Date Verified: 2019-04-14

Section 5 says:

Server implementations of this specification MAY accept OAuth2.0
clients that do not implement this extension.  If the "code_verifier"
is not received from the client in the Authorization Request, servers
supporting backwards compatibility revert to the OAuth 2.0 [RFC6749]
protocol without this extension.

As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not
need to know if the server has implemented this specification or not
and SHOULD send the additional parameters as defined in Section 4 to
all servers.

It should say:

Server implementations of this specification MAY accept OAuth2.0
clients that do not implement this extension.  If the "code_challenge"
is not received from the client in the Authorization Request, servers
supporting backwards compatibility revert to the OAuth 2.0 [RFC6749]
protocol without this extension.

As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not
need to know if the server has implemented this specification or not
and SHOULD send the additional parameters as defined in Section 4 to
all servers.

Notes:

The code_verifier is not sent in the authorization request.

Report New Errata