7 months ago · 0ed7b18f42
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
@@ -196,7 +196,8 @@ public class DefaultServerOAuth2AuthorizationRequestResolver implements ServerOA
 
															 				// value.
														
 
															 				applyNonce(builder);
														
 
															 			}
														
 
															-			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
														
 
															+			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())
														
 
															+					|| clientRegistration.getClientSettings().isRequireProofKey()) {
														
 
															 				DEFAULT_PKCE_APPLIER.accept(builder);
														
 
															 			}
														
 
															 			return builder;
														
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolverTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolverTests.java
@@ -27,6 +27,7 @@ import org.springframework.http.HttpStatus;
 
															 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
														
 
															 import org.springframework.mock.web.server.MockServerWebExchange;
														
 
															 import org.springframework.security.oauth2.client.registration.ClientRegistration;
														
 
															+import org.springframework.security.oauth2.client.registration.ClientSettings;
														
 
															 import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
														
 
															 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
														
 
															 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
														
@@ -169,6 +170,20 @@ public class DefaultServerOAuth2AuthorizationRequestResolverTests {
 
															 		assertPkceNotApplied(request, registration2);
														
 
															 	}
														
 
															+	@Test
														
 
															+	void resolveWhenRequireProofKeyTrueThenPkceEnabled() {
														
 
															+		ClientSettings pkceEnabled = ClientSettings.builder().requireProofKey(true).build();
														
 
															+		ClientRegistration clientWithPkceEnabled = TestClientRegistrations.clientRegistration()
														
 
															+			.clientSettings(pkceEnabled)
														
 
															+			.build();
														
 
															+		given(this.clientRegistrationRepository.findByRegistrationId(any()))
														
 
															+			.willReturn(Mono.just(clientWithPkceEnabled));
														
 
															+
														
 
															+		OAuth2AuthorizationRequest request = resolve(
														
 
															+				"/oauth2/authorization/" + clientWithPkceEnabled.getRegistrationId());
														
 
															+		assertPkceApplied(request, clientWithPkceEnabled);
														
 
															+	}
														
 
															+
														
 
															 	private void assertPkceApplied(OAuth2AuthorizationRequest authorizationRequest,
														
 
															 			ClientRegistration clientRegistration) {
														
 
															 		assertThat(authorizationRequest.getAdditionalParameters()).containsKey(PkceParameterNames.CODE_CHALLENGE);