Expected Findings
- `code_verifier` parameter is missing yet the token is issued.
- Authorization request did include a `code_challenge`.
- Public client has no secret rotation, so a stolen code is sufficient.
OAuth Token
PKCE Downgrade
The token endpoint requires `code_challenge` at authorize time but does not enforce `code_verifier` at exchange, so PKCE can be silently dropped.
CWE-345
PKCE probe
Primary Flows
- Token exchange POST without code_verifier
- PKCE policy Says required but is optional
Signals
Bug
if (req.code_verifier && verify(...)) ok(); else ok(); // missing == ok