> On 11 May 2020, at 07:41, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > >> On 11. May 2020, at 07:38, Neil Madden <neil.mad...@forgerock.com> wrote: >> >> There is no attack that this prevents so your claim of improving security is >> unsubstantiated. I can’t see how we can ship a 2.1-compliant-by-default AS >> while this requirement remains so I don’t support it. > > Are you saying PKCE does not prevent any attack?
No, but servers and clients are already free to support PKCE. I’m saying that rejecting requests from non-PKCE clients doesn’t prevent any attack. It just denies service to legitimate clients. — Neil _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
