[Openid-specs-ab] Best practices for native+server client

Nat Sakimura sakimura at gmail.com
Sat Jul 20 19:03:35 UTC 2019

So, what is the best practices for native app + server based client? There can be several patterns but I don't think we have actually documented them.

An app getting ID token using PKCE and sending it over to the server does not feel right as the binding between the App and the server component is pretty weak.

An app sending a PKCE request and getting back the code that is being sent to the server with the code verifier that are used by the server component to obtain ID Token feels a bit better.

Any suggestions?

Nat Sakimura
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190721/dd8b65f1/attachment.html>

More information about the Openid-specs-ab mailing list