Handling of code verification challenge

[BalSzabo]

If the realm level setting "Code verifier parameter required" is not active and the client sends the challenge for code verification the auth server doesn't check the code, but accepts any code challenge. The could be an active check regardless of it is required or not.

This is a realm level setting, we cannot enable it, because not all of our clients support this feature, but some clients would like to use it properly in the same realm.

OpenAM version: 14.6.4

[maximthomas]

@BalSzabo Hi, sorry for the late response. Why is it required to validate a code_verifier parameter, if a client can just omit it in the request and obtain an access token?