According to RFC https://tools.ietf.org/html/rfc7636#section-4 For public clients with authorization_code grant PKCE's code_verifier must be used to authenticate client. Currently authentication for public client is dropped altogether.

Current behaviour:
Client's code_challenge is not used to authenticate public clients. This leaves public clients vulnerable to token interception attack.

Expected behaviour:
Public clients on authorization_code grant type must be verified by method described in RFC linked in the issue.

I am not sure how much it would affect existing deployments by making this mandatory, but there should be some option / setting switch that we can flip to enable this security feature.

I'll be open to working on this, let me know if I should.