[Openid-specs-fapi] The reasons behind requiring PKCE for confidential clients?
nat at sakimura.org
Thu Aug 24 17:43:19 UTC 2017
Current text reads like it is requiring PKCE support even for the
Do you remember the reason for it? Or is it just an editorial error?
John may have mentioned a potential attack that PKCE could help but I do
not quite remember the details....
If it is an error, then we should fix it for the final.
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
More information about the Openid-specs-fapi