Using pkce authorization code with CAS version 6.1.7.2

[Jorge Domingo]

Hi, I am new to using CAS.

I want to implement a public client with the authorization code pkce flow so that the client does not have to use the client secret.
I have read in the documentation of my version that CAS accepts the authorization code pkce flow in /oidc/authorize in the same way as it does with the authorization code flow. So I have removed the client secret from the client JSON so that I don't have to use it for the flow.

My problem is that when I make requests with the Postman, it allows me to use both the authorization code pkce and the authorization code flow for that client without client secret. How can I make it so that it only supports the authorization code pkce flow and that if it does not receive a code_challenge from the client the call to /oidc/authorize fails? 

In other words, make the code_challenge as a mandatory parameter for this application when using the /oidc/authroize endpoint.

[Petr Bodnár]

Hi there, I think you've got a valid point here. I.e. it would be probably correct if /oidc/authorize wouldn't let you issue an authorization code if there seems to be no way how to use that code - because when there is no client_secret nor code_challenge to check (nor other authentication methods setup), then how can the client authenticate when trying to get an access token from the code?