You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
using code_challenge and code_verifier is REQUIRED for clients, and authorization servers MUST enforce their use, unless ... The client is a confidential client. ... In this case, using and enforcing code_challenge and code_verifier is still RECOMMENDED.
Thus it would be useful to have an 'enforce client use of PKCE' option with choices: none, public, all.
The text was updated successfully, but these errors were encountered:
Perhaps it would be more straightforward to have one option to enforce OAuth 2.1 compliance. (In case there are more requirements for OAuth 2.1 in the final version)
OAuth best practice is to enforce that clients use PKCE. Draft OAuth 2.1 insists authorization servers enforce the use of PKCE by public clients, and recommends enforcing it for all clients https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2
Thus it would be useful to have an 'enforce client use of PKCE' option with choices: none, public, all.
The text was updated successfully, but these errors were encountered: