[Openid-specs-fapi] Issue #512: Protocol run identifier such as nonce or PKCE should be required (openid/fapi)
Nat
issues-reply at bitbucket.org
Mon Jul 4 14:39:42 UTC 2022
New issue 512: Protocol run identifier such as nonce or PKCE should be required
https://bitbucket.org/openid/fapi/issues/512/protocol-run-identifier-such-as-nonce-or
Nat Sakimura:
# Comments
Both OpenID Connect and OAuth 1.1 protects the integrity of the entire protocol run using `nonce` and PKCE parameters respectively. Perhaps this fact should be pointed out somewhere.
# Proposal
I am unsure of where to put this, but perhaps something in the line of the following could be inserted somewhere:
> JARM can be used both for OAuth and OpenID Connect. When using OAuth 2.0 without OpenID Connect, PKCE MUST be used to protect the integrity of the entire protocol run. When using OpenID Connect with response type without id\_token in it, the Authorization Server MUST return `nonce` in the ID Token even though the ID Token is being returned from the token endpoint.
>
> Note: OAuth 2.1 has builting PKCE in it.
More information about the Openid-specs-fapi
mailing list