As is being discussed in the thread "[OAUTH-WG] OAuth 2.1 - require PKCE?",
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
has inconsistent requirements for PKCE support between clients and servers.
Per the first paragraph, clients must either use PKCE or use the OpenID Connect
nonce to prevent authorization code injection. Whereas the fourth paragraph
says "Authorization servers MUST support PKCE [RFC7636].". This imposes a
requirement on servers that isn't present for corresponding clients. (I missed
this internal discrepancy within the specification when I did my review.)
I therefore request that the fourth paragraph by change to read: "OAuth Servers
MUST support PKCE [RFC7636] unless they are only used for OpenID Connect
Authentication Requests", making the requirements on clients and servers
parallel. That way PKCE will still be there unless you don't need it. (And it
still could be there if the server implementer chooses to have it in all cases,
but that should be their call.)
Thank you,
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
