PKCE is recommended to prevent CSRF and authorization code injection attacks. We should consider enabling enabling PKCE for authorization_code flows by default to ensure we have secure defaults.
In order to ensure this goes as smoothly as possible, I think that we would need to:
- Ensure it is easy to disable in the event that it breaks users
- Align the Authorization Server
NOTE: This is a breaking change, so it would need to be done with Spring Security 7.0.
Comment From: kiruthiga1793
Hi @rwinch I am interested in working on this issue. Can you please assign me?