On Wed, 5 Apr 2023 at 08:00, M Hickford <mirth.hickf...@gmail.com> wrote: > > https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2 > says > > > To prevent injection of authorization codes into the client, using code_challenge and code_verifier is REQUIRED for clients, and authorization servers MUST enforce their use unless both of the following criteria are met... > > Suppose a client (that doesn't meet the exception criteria) omits > code_challenge in an authorization request. Must the authorization > server reject it? "Enforce their use" is unclear to me. It could > mean "if populated, enforce that they are used correctly" (weaker) or > "enforce that they are populated AND used correctly" (stronger).
Aha. A different section of the doc answers my question https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#section-4.1.2.1 > [Authorization servers] MUST reject requests without a code_challenge from public clients I still think the tet around "Enforce their use" could be improved to clarify this point https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2 Meanwhile https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html says "Public clients MUST use PKCE" but (so far as I can see) doesn't specify the authorization server behaviour if a public client omits code_challenge . I think this would be worthwhile to specify, ie. "Authorization servers MUST reject requests without a code_challenge from public clients" https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth