openid / connect / issues / #1427 - Credential issuance with PKCE or without? — Bitbucket

Issue #1427 resolved

Daniel Fett created an issue 2022-02-01

The credential issuance draft currently does not specify whether PKCE is to be used or not. Since PKCE is often expected in modern OAuth profiles, this should be discussed.

Comments (4)

Michael Jones
- changed status to open
During the 3-Feb-22 SIOP Special Topic Call, these points were discussed:
- Mike noted that Connect Core flows don't use PKCE and requiring it would be a breaking change.
- OAuth 2.1 explicitly does not require PKCE when OpenID Connect is used.
- Torsten said that FAPI requires PKCE.
- 2022-02-03T21:34:59+00:00
Joseph Heenan
OAuth 2.1 explicitly does not require PKCE when OpenID Connect is used.

‌

To quote https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.8 :

‌
```
 To this end, using
 code_challenge and code_verifier is REQUIRED for clients and
 authorization servers MUST enforce their use,
```
There is then a VERY narrow exception that doesn’t apply to the majority of the largest openid connect idps, and I’m honestly not sure if it applies to SIOP.

‌
- 2022-02-03T21:44:49+00:00
Michael Jones
Code injection is already prevented in OpenID Connect by including the c_hash in the ID Token.

Separately, all of us should be reviewing OAuth 2.1 to ensure that it does not require any breaking changes to OpenID Connect deployments. To the extent that it does (or could be construed to do so), we need to strongly push back in a united manner until the proposed breaking changes are removed from the draft.
- 2022-02-03T21:51:51+00:00
Kristina Yasuda
- changed status to resolved
PR #149
- 2022-04-22T21:12:52+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: Credential Issuance

Milestone: –

Version: –

Votes: 0

Watchers: 4

Jira: the preferred issue tracker for Bitbucket. Join the team!