openid / fapi / issues / #257 - state is required for non-OpenID-Clients now, PCKE should be as well — Bitbucket

Issue #257 resolved

Torsten Lodderstedt created an issue 2019-07-24

due to ~~#187~~ state can be used to detect CSRF, not code injection

that’s the reason the Security BCP makes PCKE mandatory for any OAuth client

I therefore think we should add this requirement to FAPI R.

Comments (7)

Torsten Lodderstedt reporter
- edited description
- 2019-07-24T14:41:26+00:00
Dave Tonge
- changed status to resolved
PKCE is now required in FAPI R
- 2019-10-02T14:57:31+00:00
Nat Sakimura
- changed component to Part 1: Baseline
- 2022-12-14T15:35:53+00:00
Nat Sakimura
- changed component to FAPI 1 - Part 1: Baseline
- 2022-12-14T15:36:26+00:00
Nat Sakimura
- changed component to FAPI 1 – Part 1: Baseline
- 2022-12-14T15:36:59+00:00
Nat Sakimura
- changed component to FAPI 1 – Baseline
- 2022-12-14T15:38:21+00:00
Nat Sakimura
- changed component to FAPI 1: Baseline
- 2022-12-14T15:39:09+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: major

Status: resolved

Component: FAPI 1: Baseline

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!