The Airtable OAuth specification says that authorization request responses will return the same code_challenge that was included in the original request.
These docs also say that this value must be verified:
| The code_challenge parameter you passed in the authorization request. You must verify the code_challenge variable is associated with a code_verifier you generated. |
From what I understand of the PKCE flow, Airtable's backend (not the client integration) is responsible for validating the code_verifier included in the token creation request from the client. Why does the documentation call for the integration to check that authorization response returns the same code_challenge that included in the request?
Also, the official Airtable example implementation does not perform this check: https://github.com/Airtable/oauth-example/blob/a714e68c2610e3249063b3d92faf064bf4c15188/index.js#L94-L137.
Any ideas? TYIA!