state is required for non-OpenID-Clients now, PCKE should be as well

Issue #257 resolved
Torsten Lodderstedt created an issue

due to #187 state can be used to detect CSRF, not code injection

that’s the reason the Security BCP makes PCKE mandatory for any OAuth client

I therefore think we should add this requirement to FAPI R.

Comments (2)

  1. Log in to comment