> On 15 Sep 2025, at 18:59, Dick Hardt <[email protected]> wrote:
>
>
> Hey everyone,
>
> A key decision in adopting the OAuth 2.1 work was that there would be no new
> normative text. As it turns out, we do need to add the ability for the AS and
> client to discover if the other party supports OAuth 2.1.
>
> There are a number of protocol features that are valid in OAuth 2.0 that are
> not valid in OAuth 2.1. For example, the code_challenge is REQUIRED in OAuth
> 2.1
>
> We are proposing the following normative additions to support version support
> discovery between the AS and the client.
>
> For a client to know if an AS supports 2.1, the AS metadata contains a new
> "oauth_versions_supported" property that is an array of version strings.
>
> example:
>
> "oauth_versions_supported": ["2.0","2.1"]
>
> This indicates the AS supports both OAuth 2.0 and OAuth 2.1
>
> For an AS to learn that a client supports 2.1, the client would include in
> its metadata the "oauth_version" property which would contain the string "2.1"
>
> example:
>
> "oauth_version": "2.1"
>
> Note that there is no explicit signal from the client or server at runtime if
> a given request or response is conforming with OAuth 2.0 vs OAuth 2.1
>
>
> https://github.com/oauth-wg/oauth-v2-1/issues/120
>
With respect to code_challenge, the way this should work is that clients that
support PKCE should always be able to send it opportunistically. AS that don’t
support it will ignore it. A 2.1 client should then always send it and a 2.1
server should always honour it. However, we know that in practice some ASes
have broken spec compliance and actively reject unrecognised parameters. (RFC
6749 §3.1 “The authorization server MUST ignore unrecognized request
parameters”), so clients have to hard-code lists of ASes that don’t support
PKCE.
Is the intent of this change to workaround this by having the client only
attempt PKCE when the AS advertises that it supports 2.1? I feel like this will
only result in a net reduction of use of PKCE — at least until 2.1 support in
servers becomes very widespread.
Can you clarify if that is the problem this change is intended to address?
Best wishes,
Neil
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
