Sapd

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2023.8.5 authentik versions prior to 2023.10.4 **Description** The issue concerns the implementation of the Proof Key for Code Exchange (PKCE) in authentik, an open-source identity provider. When initializing an OAuth2 flow with a `code challenge` and `code method`, authentik must check for a matching and existing `code verifier` during the token step. However, prior to the specified fixed versions, authentik only checks the contents of `code verifier` when it is provided. If `code verifier` is left out, authentik accepts the token request without it, even when the flow started with a `code challenge`. **Recommendations** For versions prior to 2023.8.5, update to version 2023.8.5 or later. For versions prior to 2023.10.4, update to version 2023.10.4 or later.