[Openid-specs-fapi] Issue #293: PKCE & Nonce Security Considerations (openid/fapi)

dgtonge issues-reply at bitbucket.org
Wed May 20 14:49:03 UTC 2020


New issue 293: PKCE & Nonce Security Considerations
https://bitbucket.org/openid/fapi/issues/293/pkce-nonce-security-considerations

Dave Tonge:

@{5b73d0fb816d1805baacb64f} has posted a very useful analysis of nonce and PKCE:

[https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/](https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/)

We should consider whether to add additional security considerations around this in FAPI and if so, whether they need to be in part 1 or part 2.

There was discussion on the call today of potentially requiring servers to reject token requests with a code\_verifier where none was expected.

There was also discussion about whether in Part 2 we are protected against such attacks due to the integrity protection from JARM or ID Tokens.

We agreed to open this issue for further discussion.




More information about the Openid-specs-fapi mailing list