PKCE does not get enforced

[RoxKilly]

In my product, the authorization_code OAuth2 flow works well. However when I provide a code_challenge and code_challenge_method (S256) during the original call, Hydra doesn't require me to even provide a code_verifier. It will happily exchange my code for a token whether I provide one or not.

I know that Hydra left untouched doesn't have this problem, so I've broken something in Hydra but I don' t know what or how. One difference I noticed is that in the quickstart Hydra setup, an entry is added to the PKCE table when the authz code is generated and returned. However in my application, nothing is added to the PKCE table. The clients are setup the same way (client_basic_auth Client authentication method).

Where is the code in Hydra that stores the session in the PKCE table? Where is the code that checks the code_verifier?

PS: These lines look like what would be called when saving and retrieving the PKCE session. However I don't see them executed anywhere in the package so I don't know how/where the PKCE inputs get validated

[grantzvolsky]

The code you are looking for is most likely in fosite, e.g. here: https://github.com/ory/fosite/blob/master/handler/pkce/handler.go#L129

Good luck!

[RoxKilly]

yep that was it! Thank you :-)