Skip to content

Implement rfc9700 PKCE downgrade countermeasure#864

Merged
azmeuk merged 1 commit into
authlib:mainfrom
azmeuk:rfc9700
Feb 27, 2026
Merged

Implement rfc9700 PKCE downgrade countermeasure#864
azmeuk merged 1 commit into
authlib:mainfrom
azmeuk:rfc9700

Conversation

@azmeuk

@azmeuk azmeuk commented Feb 26, 2026

Copy link
Copy Markdown
Member

Implement the RFC9700 security recommandation about PKCE downgrade attack.

Beyond this, to prevent PKCE downgrade attacks, the authorization server MUST ensure that if there was no code_challenge in the authorization request, a request to the token endpoint containing a code_verifier is rejected.

What kind of change does this PR introduce?

Reject token requests when a code verifier is passed without a code challenge.

Does this PR introduce a breaking change?

No

Checklist

  • The commits follow the conventional commits specification.
  • You ran the linters with prek.
  • You wrote unit test to demonstrate the bug you are fixing, or to stress the feature you are bringing.
  • You reached 100% of code coverage on the code you edited, without abusive use of pragma: no cover
  • If this PR is about a new feature, or a behavior change, you have updated the documentation accordingly.
  • You consent that the copyright of your pull request source code belongs to Authlib's author.

@azmeuk azmeuk changed the title Fix rfc9700 PKCE downgrade countermeasure Implement rfc9700 PKCE downgrade countermeasure Feb 26, 2026
@azmeuk azmeuk requested review from Copilot and lepture and removed request for Copilot February 26, 2026 20:23
@azmeuk azmeuk added role:authorization_server Concerns a server implementation spec:rfc7636 Proof Key for Code Exchange by OAuth Public Clients labels Feb 26, 2026
@azmeuk azmeuk merged commit 7f37b71 into authlib:main Feb 27, 2026
11 checks passed
@azmeuk azmeuk deleted the rfc9700 branch February 27, 2026 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

role:authorization_server Concerns a server implementation spec:rfc7636 Proof Key for Code Exchange by OAuth Public Clients

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants