Reference Errors in Section 4.1.1 #194
Description
There are two reference errors in the following paragraph in Section 4.1.1:
Clients MUST use code_challenge and code_verifier and authorization servers MUST enforce their use except under the conditions described in Section 7.5.1. In this case, using and enforcing code_challenge and code_verifier as described in the following is still RECOMMENDED.
1. No Exception Condition Given in Section 7.5.1
Clients MUST use code_challenge and code_verifier and authorization servers MUST enforce their use except under the conditions described in Section 7.5.1.
Section 7.5.1 no longer justifies the exception condition, which was only present in Draft v1:
The client is a confidential client.
In the specific deployment and the specific request, there is reasonable assurance for authorization server that the client implements the OpenID Connect nonce mechanism properly.
If this exception condition was removed on purpose, then code_challenge should be marked as REQUIRED only, not REQUIRED or RECOMMENDED as marked in Section 4.1.1. If this exception was meant to be moved to somewhere else, the reference link should be updated.
2. There is No "the following"
In this case, using and enforcing code_challenge and code_verifier as described in the following is still RECOMMENDED.
However, "the following" no longer describes the generation & transformation process of code_challenge and code_verfier, which was also only present in v1.
Generally speaking, there is currently some contradictions about the requirements of code_challenge.