[Openid-specs-fapi] Issue #293: PKCE & Nonce Security Considerations (openid/fapi)
dgtonge
issues-reply at bitbucket.org
Wed May 20 14:49:03 UTC 2020
New issue 293: PKCE & Nonce Security Considerations
https://bitbucket.org/openid/fapi/issues/293/pkce-nonce-security-considerations
Dave Tonge:
@{5b73d0fb816d1805baacb64f} has posted a very useful analysis of nonce and PKCE:
[https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/](https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/)
We should consider whether to add additional security considerations around this in FAPI and if so, whether they need to be in part 1 or part 2.
There was discussion on the call today of potentially requiring servers to reject token requests with a code\_verifier where none was expected.
There was also discussion about whether in Part 2 we are protected against such attacks due to the integrity protection from JARM or ID Tokens.
We agreed to open this issue for further discussion.
More information about the Openid-specs-fapi
mailing list