[Openid-specs-fapi] Issue #307: FAPI-RW: Require pkce when using PAR (openid/fapi)

josephheenan issues-reply at bitbucket.org
Thu Aug 20 11:27:01 UTC 2020

New issue 307: FAPI-RW: Require pkce when using PAR

Joseph Heenan:

As mentioned at [https://bitbucket.org/openid/fapi/issues/304/are-duplicates-of-the-response\_type-and#comment-58471296](https://bitbucket.org/openid/fapi/issues/304/are-duplicates-of-the-response_type-and#comment-58471296) and discussed on this week’s call, we should require PKCE support when using PAR with FAPI1 RW.

The reasons for requiring it are:

1. It moves the onus to be secure from client side to server side, which is important as we have seen many clients in the OpenBanking UK ecosystem that just don’t implement the existing security checks like s\_hash or checking the signatures on id\_tokens.
2. It aligns with the OAuth security BCP and FAPI2.

The reason for only requiring it for PAR is that mention of PAR will be new to FAPI-RW ID3 \(ID2 only mentions the pre-IETF pushed request objects spec\), so requiring it for PAR will not be a breaking change. \(We previously made the decision not to enable it for the non-PAR case as we did not want to force that level of upheaval onto the UK OB ecosystem.\)



Responsible: Joseph Heenan

More information about the Openid-specs-fapi mailing list