[Openid-specs-fapi] Issue #352: nonce as PKCE alternative for OIDC flows (openid/fapi)

tlodderstedt issues-reply at bitbucket.org
Sat Dec 12 11:55:12 UTC 2020

New issue 352: nonce as PKCE alternative for OIDC flows

Torsten Lodderstedt:

AS clause 11 currently states:

„shall require PKCE \[@!RFC7636\] with `S256` as the code challenge method“  
The Security BCP and the OAuth 2.1 draft allow use of nonce as alternative to PKCE for confidential clients. This makes especially sense if the client is a OIDC RP.

I suggest we add this alternative to FAPI 2 baseline as well.

More information about the Openid-specs-fapi mailing list