Thanks for the lively discussion around PKCE in OAuth 2.1 everyone! We would like to propose the following text, which is a slight variation from the text Neil proposed. This would replace the paragraph in 4.1.2.1 ( https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1) that begins with "If the client does not send the "code_challenge" in the request..."
"An AS MUST reject requests without a code_challenge from public clients, and MUST reject such requests from other clients unless there is reasonable assurance that the client mitigates authorization code injection in other ways. See section 9.7 for details." Section 9.7 is where the nuances of PKCE vs nonce are described. As Neil described, we believe this will allow ASs to support both OAuth 2.0 and 2.1 clients simultaneously. The change from Neil's text is the clarification of which threats, and changing to MUST instead of SHOULD. The "MUST...unless" is more specific than "SHOULD", and since we are already describing the explicit exception to the rule, it's more clear as a MUST here. Aaron Parecki
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth