[Openid-specs-fapi] The reasons behind requiring PKCE for confidential clients?
Torsten Lodderstedt
torsten at lodderstedt.net
Fri Aug 25 09:15:49 UTC 2017
Hi Nat,
just guessing - the new OAuth security BCP recommends use of PKCE for detecting/preventing code injection attacks. That might be the reason for adding the requirement to the FAPI profile.
I know the hybrid flow („code id_token“) is an alternative countermeasure in the OIDC space. So my question is: will FAPI allow use of pure authz code flow? Then recommending PKCE for code injection makes a lot of sense.
best regards,
Torsten.
> Am 24.08.2017 um 19:43 schrieb Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
>
> Hi.
>
> Current text reads like it is requiring PKCE support even for the confidential client.
> Do you remember the reason for it? Or is it just an editorial error?
>
> John may have mentioned a potential attack that PKCE could help but I do not quite remember the details....
>
> If it is an error, then we should fix it for the final.
>
> Best,
> --
> Nat Sakimura
> Research Fellow, Nomura Research Institute
> Chairman of the Board, OpenID Foundation
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3581 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170825/d835f7fa/attachment.p7s>
More information about the Openid-specs-fapi
mailing list