> Has anyone faced the issue how an AS can handle a mix of OAuth 2.0 and
2.1 clients regarding PKCE enforcement?
In Duende IdentityServer we make this a per-client setting. That makes for a
very simple solution to the problem.
-Brock
___
OAuth
Hi Vladimir,
Similar issue exists in CDR (Australian Open Banking). PAR and PKCE was
added as mandatory to FAPI 1 Advanced profile.
There was a transition period when AS had to support both (potentially).
Also if the same AS is used outside of CDR, this dual support would
continue for some
Couple of quick comments from me:
1) (Editorial) >In simple API authorization scenarios, an authorization
server will statically determine what authentication technique
In many scenarios, authorization servers will use *dynamic* decisioning to
determine authentication techniques; it's just not
I am very supportive of this work and have been working through different use
cases to see whether it can satisfy the requirements that arise from them.
One observation from working through these uses cases is that as customers move
to Zero Trust architectures, we are seeing customers
