Require a code_challenge and code_verifier on auth code with PKCE grant

In order to support native apps, we are using the auth code flow with PKCE. In testing things though, we’ve found that if an authorization request is made without a code_challenge and code_verifier, the request will proceed as normal. When the auth code returns to the application, the application can then use that code to obtain a token without any kind of verifier or secret information.

We want to require that auth code flows with native apps require that a code_challenge and code_verifier be present in the authorization request. Is there a toggle in the Auth0 tenant or app configuration to require this? If not, we could probably throw together a rule to perform the check for us, but if we can let the configuration do it for us, that would be easier.

Thanks!

Hi @jlnaps.
There’s currently no setting to enforce usage of the PKCE.
As you know, the purpose of the PKCE is to ensure that the authorization code can only be exchanged by the application that made the authorization request, but it’s the application responsibility to properly implement this security measure (as one of many other things that an application needs to do to ensure proper security).

I understand the motivation to enforce this to ensure usage of best practices, though. There are ongoing efforts on this area but, even so, I’d suggest that you make a feature request at Auth0: Secure access for everyone. But not just anyone. to be taken into consideration by the product team.