As a clarifying question, you are saying "Servers must support" and not "Servers must require clients to use PKCE".
-Jared Skype:jaredljennings Signal:+1 816.730.9540 WhatsApp: +1 816.678.4152 On Wed, May 6, 2020 at 4:04 PM Mike Jones <Michael.Jones= 40microsoft....@dmarc.ietf.org> wrote: > As is being discussed in the thread “[OAUTH-WG] OAuth 2.1 - require > PKCE?”, > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1..1 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1> > has inconsistent requirements for PKCE support between clients and > servers. Per the first paragraph, clients must either use PKCE or use the > OpenID Connect nonce to prevent authorization code injection. Whereas the > fourth paragraph says “*Authorization servers MUST support PKCE [RFC7636]*.”. > This imposes a requirement on servers that isn’t present for corresponding > clients. (I missed this internal discrepancy within the specification when > I did my review.) > > > > I therefore request that the fourth paragraph by change to read: “*OAuth > Servers MUST support PKCE [RFC7636] unless they are only used for OpenID > Connect Authentication Requests*”, making the requirements on clients and > servers parallel. That way PKCE will still be there unless you don’t need > it. (And it still could be there if the server implementer chooses to have > it in all cases, but that should be their call.) > > > > Thank you, > > -- Mike > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth