2020-08-10 UTC
# [tb] So was thinking some about PKCE just now — a client that supports PKCE should be able to safely send PKCE parameters in both the authorization and token requests even if the provider doesn't support it, since the provider should just silently drop the `code_challenge` / `code_challenge_method` / `code_verifier` parameters if that's the case?