PKCE or Part2 mechanisms?

Issue #185 closed
Takahiko Kawasaki created an issue

FAPI Part 1, 5.2.3. Public client, 1. says as follows:

  1. shall support [RFC7636] or the mechanisms defined in Financial-grade API - Part 2;

This can be interpreted like "RFC 7636 is not necessary if the mechanisms defined in Financial-grade API - Part 2 are used".

If this interpretation is acceptable, the specification needs to explain explicitly what "the mechanisms" mean. For example, "signed request object".

Otherwise, if the interpretation is not acceptable, "or the mechanisms defined in Financial-grade API - Part 2" should be removed from the specification.

Comments (6)

  1. Joseph Heenan

    I think we agreed on the call to remove the "or the mechanisms" part (and make sure the Part 2 makes clear that PKCE isn't required for part 2 compliant confidential clients, which I think it already does).

  2. Nat Sakimura

    @Joseph Heenan , a PR is long due …

    We could amend the sentence as you suggest in your comment, or we can actually remove 5.2.3. Let us discuss it on the call today.

  3. Dave Tonge

    Merged in part1-pkce-clarify (pull request #181)

    Part 1: Remove 'or the mechanisms defined in part 2'

    • Part 1: Remove 'or the mechanisms defined in part 2'

    This part of the clause was confusing, and is no longer applicable as part 2 no longer supports public clients, and https://bitbucket.org/openid/fapi/pull-requests/170 clarifies other parts of the PKCE requirements.

    closes #185

    Approved-by: Nat Sakimura Approved-by: Dave Tonge

    → <<cset bffffb753798>>

  4. Log in to comment