|
// ---> removed the PKCE requirement |
Instead of removing PCKE check, you should do this:
String grantTypeStr = (String) ((OAuth2ClientAuthenticationToken) authentication).getAdditionalParameters().get("grant_type");
boolean isGrantTypeAuthorizationCode = AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(grantTypeStr);
if (isGrantTypeAuthorizationCode) {
// Validate the "code_verifier" parameter for the public client
this.codeVerifierAuthenticator.authenticateRequired(clientAuthentication, registeredClient);
}CodeVerifierAuthenticator is protected, so you must copy it to your project and use the copy.
spring-authorization-server-guide/auth-server/src/main/java/org/example/authserver/PublicClientRefreshTokenAuthenticationProvider.java
Line 34 in 0fedb22
Instead of removing PCKE check, you should do this:
CodeVerifierAuthenticator is protected, so you must copy it to your project and use the copy.