Hi, we came across an issue in Gluu login functionality when using OAuth 2.0 PKCE extension. What happens is that as part of the login flow when accessing authorization endpoint, Gluu loses the provided code_challenge and code_challenge_method provided by the client application. The flow is following: 1) Client provides code_challenge and code_challenge_method in the call to authorization endpoint: ``` GET /oxauth/seam/resource/restv1/oxauth/authorize?redirect_uri=com.nixu.mobilesso.mobilessodemo%3A%2F%2Foidc_callback&client_id=********&response_type=code&state=********&scope=openid%20profile%20email&code_challenge=********&code_challenge_method=S256 ``` 2) Gluu responds with HTTP status code 302 and value of Location header indicates that code_challenge and code_challenge_method are no longer present. ``` Location: https://********/oxauth/authorize?scope=openid+profile+email&response_type=code&redirect_uri=com.nixu.mobilesso.mobilessodemo%3A%2F%2Foidc_callback&state=********&client_id=******** ``` Eventually after successful login, when passing code_verifier as part of the call to token endpoint, it responds with HTTP status code 401 and following error payload: ``` "error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." ``` This works OK when user does not need to login.