I'm dealing with an Authorization Server that requires PKCE, but only support plain challenge method. For this reason, out-of-the-box RFC7636 support does not do the trick for me, since it only handles S256 PKCE challenge. Actually, I think this issue disqualifies authlib from the pool of dependencies I could use in my project entirely. If there's a workaround I could use to leverage authlib as an OAuth2 Client in FastAPI-based project, I'm more than happy to hear about it.

That being said, I volunteer to provide the support for plain challenge. The reason I'm submitting this issue for is the fact that according to RFC7636, server-side support of S256 is Mandatory To Implement. Using plain over S256 challenge method severely hinders the security benefits gained from supplementing the authorization flow with PKCE. If authlib maintainers want their project to follow the specifications in the most accurate manner and not introduce recommended against features, then I don't want to get in anyone's way.

I'd be glad to hear your opinion on that. Thank you for your hard work!

Are you sure lepture/authlib doesn't support it?

Section 4.3 of RFC 7636 defines both S256 and plain for the code_challenge_method field, with the former being the go-to choice for security reasons.

Upon a closer inspection of the source code, authlib seems to provide an implementation for plain method for implicit use outside of registered OAuth2 Client instance.

Should this issue be closed then?

@codespearhead The client itself only supports S256. We need to add support for plain for the client.