In Prague we've seen and talked about this point from Torsten's deck <https://datatracker.ietf.org/meeting/104/materials/slides-104-oauth-sessa-security-topics-00>
> Use PKCE for CSRF prevention instead of state parameter > > - PKCE is mandatory now and can fulfill this additional task > - Simplifies recommendations and makes state available again for > original purpose (carry client transaction data) > > While PKCE is now the suggested countermeasure to some attacks and is to be used by Clients it's not yet mandatory to be implemented by the AS and the client has no way of knowing for sure if it's implemented (due to how PKCE is defined as backwards compatible to clients when AS is missing its support). Since at no point in time does the client receive anything from the AS suggesting that PKCE is in effect, is this a wise recommendation to make in the current form? Some might interpret this as if they don't need state to carry any client transaction data they might as well just use PKCE and omit state altogether altho the server does not support PKCE. S pozdravem, *Filip Skokan*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
