As a clarifying question, you are saying "Servers must support" and not
"Servers must require clients to use PKCE".
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Wed, May 6, 2020 at 4:04 PM Mike Jones wrote:
> As is being discussed in the thread “[OAUTH-WG] OA
The document is called "...Best Current Practice ..." and includes
recommendations. Could it be sufficient to say "Authorization servers
support PKCE" in section 2.1.1? I believe MUST and other such terms
may not necessarily belong into such document.
Regards,
Sascha
On Wed, 6 May 2020 at 14:04,
As is being discussed in the thread "[OAUTH-WG] OAuth 2.1 - require PKCE?",
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
has inconsistent requirements for PKCE support between clients and servers.
Per the first paragraph, clients must either use PKCE or use the
