Hello! We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce solves some of the issues that PKCE protects against. We think that most OpenID Connect implementations also support OAuth 2.0, and hence have support for PKCE if following best practices.
The advantages or requiring PKCE are: - a simpler programming model across all OAuth applications and profiles as they all use PKCE - reduced attack surface when using S256 as a fingerprint of the verifier is sent through the browser instead of the clear text value - enforcement by AS not client - makes it easier to handle for client developers and AS can ensure the check is conducted What are disadvantages besides the potential impact to OpenID Connect deployments? How significant is that impact? Dick, Aaron, and Torsten ᐧ
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth