Requiring clients to use PKCE for their authorization requests
Authlete has a feature to require OAuth 2.0 clients to usePKCE (RFC 7636)for their authorization requests.
You can enable this feature by opening "Edit Service" and choosing "Required" at "Proof Key for Code Exchange (RFC 7636)" setting in "Authorization Endpoint" section under "Authorization" tab. The default selection is "Not Required."
Once enabled, /auth/authorization API of the enabled Authlete service denies any authorization requests without code_challenge parameter. An example is as follows (folded for readability):
Request (including an authorization request without code_challenge as "parameters")
{
"type": "authorizationResponse",
"resultCode": "A124301",
"resultMessage": "[A124301] The authorization request
does not contain 'code_challenge' parameter. See RFC 7636
for details.",
...