It can be a bit of a balancing act to have examples that clearly and concisely demonstrate the target functionality of the document but do so in the context of an otherwise complete and valid protocol message that also shows best practices being adhered to. But I think in this case I agree that adding a code_verifier to that example is worthwhile to show one of the generally agreed on best practices being followed and it doesn't add too much bloat to the example.
On Thu, Aug 1, 2019 at 2:44 PM Sascha Preibisch <saschapreibi...@gmail.com> wrote: > Hi all! > > I am reading through the latest draft ( ... dpop-02). When I got to > the first example request (bullet 5.) I saw that only 'grant_type, > code, redirect_uri' are used. > > If I am not mistaken the recommendation is to generally use PKCE with > an authorization_code flow. Therefore, I wondered if the example > should also include a 'code_verifier'. > > Thanks, > Sascha > > On Mon, 8 Jul 2019 at 06:30, Daniel Fett <danielf+oa...@yes.com> wrote: > > > > All, > > > > In preparation for the meeting in Montreal, I just uploaded a new > version of the DPoP draft: > > https://tools.ietf.org/html/draft-fett-oauth-dpop-02 > > > > Please have a look and let me know what you think. We should make this a > working group item soon. > > > > As you might have noticed, there is also a new version of the Security > Best Current Practice draft: > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 > > > > -Daniel > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
