Setting to require Proof Key for Code Exchange for OAuth Public Clients

Feature: Tenant or Application setting to require Proof Key for Code Exchange for OAuth Public Clients.

Description:

Even if the Auth0 official SDKs default to using Proof Key for Code Exchange (PKCE) for authenticating with the OAuth 2.0 Code Flow, other clients may still ignore this and proceed without it.

I would like a setting to require that, whenever a public client uses the OAuth 2.0 Code Flow, they are required to provide the REQUIRED parameters according to RFC7636.

When the setting is enable, Auth0 should behave as explained in the specification, and should return an error message if clients fails to provide the parameters, as explain in section 4.4.1.

The setting should only affect the OAuth 2.0 Code Flow for public clients.

Use-case:

In organizations where the teams managing the Authorization Server is different than the teams developing client implementations, it would be good to have a way to ensure some best practices.

With this feature, the Authorization Server team can ensure that public clients provide the minimum security (e.g. setting code flow as the only available grant type and required PKCE for public clients).

Hi @victor.pessolato.ext,

Thanks for the feature request!