In order to support native apps, we are using the auth code flow with PKCE. In testing things though, we’ve found that if an authorization request is made without a code_challenge and code_verifier, the request will proceed as normal. When the auth code returns to the application, the application can then use that code to obtain a token without any kind of verifier or secret information.
We want to require that auth code flows with native apps require that a code_challenge and code_verifier be present in the authorization request. Is there a toggle in the Auth0 tenant or app configuration to require this? If not, we could probably throw together a rule to perform the check for us, but if we can let the configuration do it for us, that would be easier.