[Openid-specs-fapi] The reasons behind requiring PKCE for confidential clients?

Nat Sakimura nat at sakimura.org
Thu Aug 24 17:43:19 UTC 2017


Hi.

Current text reads like it is requiring PKCE support even for the 
confidential client.
Do you remember the reason for it? Or is it just an editorial error?

John may have mentioned a potential attack that PKCE could help but I do 
not quite remember the details....

If it is an error, then we should fix it for the final.

Best,
-- 
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation


More information about the Openid-specs-fapi mailing list