I am happy with this proposed wording. Thanks for updating it. — Neil
> On 11 May 2020, at 19:52, Aaron Parecki <aa...@parecki.com> wrote: > > Thanks for the lively discussion around PKCE in OAuth 2.1 everyone! > > We would like to propose the following text, which is a slight variation from > the text Neil proposed. This would replace the paragraph in 4.1.2.1 > (https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1 > <https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1>) > that begins with "If the client does not send the "code_challenge" in the > request..." > > "An AS MUST reject requests without a code_challenge from public clients, and > MUST reject such requests from other clients unless there is reasonable > assurance that the client mitigates authorization code injection in other > ways. See section 9.7 for details." > > Section 9.7 is where the nuances of PKCE vs nonce are described. > > As Neil described, we believe this will allow ASs to support both OAuth 2.0 > and 2.1 clients simultaneously. The change from Neil's text is the > clarification of which threats, and changing to MUST instead of SHOULD. The > "MUST...unless" is more specific than "SHOULD", and since we are already > describing the explicit exception to the rule, it's more clear as a MUST here. > > Aaron Parecki > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
