diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js
index 75d1b2e..471cdfb 100644
--- a/lib/handlers/authorize-handler.js
+++ b/lib/handlers/authorize-handler.js
@@ -369,7 +369,7 @@ AuthorizeHandler.prototype.updateResponse = function(response, redirectUri, stat
 };
 
 AuthorizeHandler.prototype.getCodeChallenge = function(request) {
-  return request.body.code_challenge;
+  return request.body.code_challenge || request.query.code_challenge;
 };
 
 /**
@@ -380,7 +380,7 @@ AuthorizeHandler.prototype.getCodeChallenge = function(request) {
  *  (see https://www.rfc-editor.org/rfc/rfc7636#section-4.4)
  */
 AuthorizeHandler.prototype.getCodeChallengeMethod = function(request) {
-  const algorithm = request.body.code_challenge_method;
+  const algorithm = request.body.code_challenge_method || request.query.code_challenge_method;
 
   if (algorithm && !pkce.isValidMethod(algorithm)) {
     throw new InvalidRequestError(`Invalid request: transform algorithm '${algorithm}' not supported`);