RFC Errata
RFC 7636, "Proof Key for Code Exchange by OAuth Public Clients", September 2015
Source of RFC: oauth (sec)See Also: RFC 7636 w/ inline errata
Errata ID: 5687
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Collin Sauve
Date Reported: 2019-04-09
Verifier Name: Benjamin Kaduk
Date Verified: 2019-04-14
Section 5 says:
Server implementations of this specification MAY accept OAuth2.0 clients that do not implement this extension. If the "code_verifier" is not received from the client in the Authorization Request, servers supporting backwards compatibility revert to the OAuth 2.0 [RFC6749] protocol without this extension. As the OAuth 2.0 [RFC6749] server responses are unchanged by this specification, client implementations of this specification do not need to know if the server has implemented this specification or not and SHOULD send the additional parameters as defined in Section 4 to all servers.
It should say:
Server implementations of this specification MAY accept OAuth2.0 clients that do not implement this extension. If the "code_challenge" is not received from the client in the Authorization Request, servers supporting backwards compatibility revert to the OAuth 2.0 [RFC6749] protocol without this extension. As the OAuth 2.0 [RFC6749] server responses are unchanged by this specification, client implementations of this specification do not need to know if the server has implemented this specification or not and SHOULD send the additional parameters as defined in Section 4 to all servers.
Notes:
The code_verifier is not sent in the authorization request.