On Thu, Mar 12, 2020 at 3:03 PM Aaron Parecki <aa...@parecki.com> wrote:
> > The Security BCP recommends S256. > > Is a recommendation enough to change the default? No. How would that work in practice anyway? If no code_challenge_method was present, then you'd need to know which version of OAuth is being used (how?) in order to know which default code challenge method to use. Please don't. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
