- changed status to open
Credential issuance with PKCE or without?
The credential issuance draft currently does not specify whether PKCE is to be used or not. Since PKCE is often expected in modern OAuth profiles, this should be discussed.
Comments (4)
-
-
OAuth 2.1 explicitly does not require PKCE when OpenID Connect is used.
To quote https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.8 :
To this end, using code_challenge and code_verifier is REQUIRED for clients and authorization servers MUST enforce their use,
There is then a VERY narrow exception that doesn’t apply to the majority of the largest openid connect idps, and I’m honestly not sure if it applies to SIOP.
-
Code injection is already prevented in OpenID Connect by including the
c_hash
in the ID Token.Separately, all of us should be reviewing OAuth 2.1 to ensure that it does not require any breaking changes to OpenID Connect deployments. To the extent that it does (or could be construed to do so), we need to strongly push back in a united manner until the proposed breaking changes are removed from the draft.
-
- changed status to resolved
- Log in to comment
During the 3-Feb-22 SIOP Special Topic Call, these points were discussed: