[Openid-specs-fapi] The reasons behind requiring PKCE for confidential clients?
Nat Sakimura
nat at sakimura.org
Thu Aug 24 17:43:19 UTC 2017
Hi.
Current text reads like it is requiring PKCE support even for the
confidential client.
Do you remember the reason for it? Or is it just an editorial error?
John may have mentioned a potential attack that PKCE could help but I do
not quite remember the details....
If it is an error, then we should fix it for the final.
Best,
--
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
More information about the Openid-specs-fapi
mailing list