diff --git a/src/controllers/openid_controller.rs b/src/controllers/openid_controller.rs
index 625884d..cd14a46 100644
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@@ -319,9 +319,10 @@ pub async fn token(req: HttpRequest,
                 if !chall.verify_code(code_verifier) {
                     return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
                 }
+            } else if q.code_verifier.is_some() {
+                return Ok(error_response(&query, "invalid_grant", "Unexpected `code_verifier` parameter!"));
             }
 
-
             if session.access_token.is_some() {
                 return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
             }