Missing required PKCE code challenges should raise an error in the authorization endpoint
Basics
Logistics
Basics
Logistics
Description
The OIDC.SSO profile can be configured to require PKCE. Currently the OP plugin only verifies this in the token endpoint when the authorization code is being exchanged into id_token and access token. That's not compliant with the spec, as the authorization endpoint must already return authorization error response with specific details, if the code challenge is missing (see 4.4.1 in [1]).
A new SWF action ValidateCodeChallenge verifies PKCE parameters on authorize flow (front-channel) too. Code partly overlaps with the already existing ValidatePKCE action, but is that much different that combining these into a same action didn't feel best option either.
The OIDC.SSO profile can be configured to require PKCE. Currently the OP plugin only verifies this in the token endpoint when the authorization code is being exchanged into id_token and access token. That's not compliant with the spec, as the authorization endpoint must already return authorization error response with specific details, if the code challenge is missing (see 4.4.1 in [1]).
[1] https://datatracker.ietf.org/doc/html/rfc7636