@Daniel Fett has posted a very useful analysis of nonce and PKCE:
We should consider whether to add additional security considerations around this in FAPI and if so, whether they need to be in part 1 or part 2.
There was discussion on the call today of potentially requiring servers to reject token requests with a code_verifier where none was expected.
There was also discussion about whether in Part 2 we are protected against such attacks due to the integrity protection from JARM or ID Tokens.
We agreed to open this issue for further discussion.