As is being discussed in the thread "[OAUTH-WG] OAuth 2.1 - require PKCE?", https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 has inconsistent requirements for PKCE support between clients and servers. Per the first paragraph, clients must either use PKCE or use the OpenID Connect nonce to prevent authorization code injection. Whereas the fourth paragraph says "Authorization servers MUST support PKCE [RFC7636].". This imposes a requirement on servers that isn't present for corresponding clients. (I missed this internal discrepancy within the specification when I did my review.)
I therefore request that the fourth paragraph by change to read: "OAuth Servers MUST support PKCE [RFC7636] unless they are only used for OpenID Connect Authentication Requests", making the requirements on clients and servers parallel. That way PKCE will still be there unless you don't need it. (And it still could be there if the server implementer chooses to have it in all cases, but that should be their call.) Thank you, -- Mike
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth