The document is called "...Best Current Practice ..." and includes recommendations. Could it be sufficient to say "Authorization servers support PKCE" in section 2.1.1? I believe MUST and other such terms may not necessarily belong into such document.
Regards, Sascha On Wed, 6 May 2020 at 14:04, Mike Jones <Michael.Jones=40microsoft....@dmarc.ietf.org> wrote: > > As is being discussed in the thread “[OAUTH-WG] OAuth 2.1 - require PKCE?”, > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1..1 > has inconsistent requirements for PKCE support between clients and servers. > Per the first paragraph, clients must either use PKCE or use the OpenID > Connect nonce to prevent authorization code injection. Whereas the fourth > paragraph says “Authorization servers MUST support PKCE [RFC7636].”. This > imposes a requirement on servers that isn’t present for corresponding > clients. (I missed this internal discrepancy within the specification when I > did my review.) > > > > I therefore request that the fourth paragraph by change to read: “OAuth > Servers MUST support PKCE [RFC7636] unless they are only used for OpenID > Connect Authentication Requests”, making the requirements on clients and > servers parallel. That way PKCE will still be there unless you don’t need > it. (And it still could be there if the server implementer chooses to have > it in all cases, but that should be their call.) > > > > Thank you, > > -- Mike > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
