diff --git a/internal/oauth21/pkce.go b/internal/oauth21/pkce.go
index 9929e4e1e..fc752fb80 100644
--- a/internal/oauth21/pkce.go
+++ b/internal/oauth21/pkce.go
@@ -13,18 +13,8 @@ import (
 // - storedCodeChallenge: The challenge string stored by the server during the authorization request.
 // Returns true if the verifier is valid, false otherwise.
 func VerifyPKCES256(codeVerifier, storedCodeChallenge string) bool {
-	// 1. Calculate SHA256 hash of the code verifier (ASCII representation)
 	sha256Hash := sha256.Sum256([]byte(codeVerifier))
-
-	// 2. Base64url-encode the hash *without* padding
-	//    Use RawURLEncoding which omits padding.
 	calculatedChallenge := base64.RawURLEncoding.EncodeToString(sha256Hash[:])
-
-	// 3. Constant-time comparison
-	if len(calculatedChallenge) != len(storedCodeChallenge) {
-		return false
-	}
-	// subtle.ConstantTimeCompare returns 1 if equal, 0 otherwise.
 	return subtle.ConstantTimeCompare([]byte(calculatedChallenge), []byte(storedCodeChallenge)) == 1
 }
 
@@ -35,8 +25,5 @@ func VerifyPKCES256(codeVerifier, storedCodeChallenge string) bool {
 // - storedCodeChallenge: The challenge string stored by the server during the authorization request.
 // Returns true if the verifier is valid, false otherwise.
 func VerifyPKCEPlain(codeVerifier, storedCodeChallenge string) bool {
-	if len(codeVerifier) != len(storedCodeChallenge) {
-		return false
-	}
 	return subtle.ConstantTimeCompare([]byte(codeVerifier), []byte(storedCodeChallenge)) == 1
 }