- changed status to open
PKCE or Part2 mechanisms?
FAPI Part 1, 5.2.3. Public client, 1. says as follows:
- shall support [RFC7636] or the mechanisms defined in Financial-grade API - Part 2;
This can be interpreted like "RFC 7636 is not necessary if the mechanisms defined in Financial-grade API - Part 2 are used".
If this interpretation is acceptable, the specification needs to explain explicitly what "the mechanisms" mean. For example, "signed request object".
Otherwise, if the interpretation is not acceptable, "or the mechanisms defined in Financial-grade API - Part 2" should be removed from the specification.
Comments (11)
-
-
I think we agreed on the call to remove the "or the mechanisms" part (and make sure the Part 2 makes clear that PKCE isn't required for part 2 compliant confidential clients, which I think it already does).
-
-
assigned issue to
-
assigned issue to
-
@Joseph Heenan , a PR is long due …
We could amend the sentence as you suggest in your comment, or we can actually remove 5.2.3. Let us discuss it on the call today.
-
-
- changed status to closed
Merged in part1-pkce-clarify (pull request #181)
Part 1: Remove 'or the mechanisms defined in part 2'
- Part 1: Remove 'or the mechanisms defined in part 2'
This part of the clause was confusing, and is no longer applicable as part 2 no longer supports public clients, and https://bitbucket.org/openid/fapi/pull-requests/170 clarifies other parts of the PKCE requirements.
closes
#185Approved-by: Nat Sakimura Approved-by: Dave Tonge
→ <<cset bffffb753798>>
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment