- edited description
state is required for non-OpenID-Clients now, PCKE should be as well
Issue #257
resolved
due to #187 state can be used to detect CSRF, not code injection
that’s the reason the Security BCP makes PCKE mandatory for any OAuth client
I therefore think we should add this requirement to FAPI R.
Comments (7)
-
reporter -
- changed status to resolved
PKCE is now required in FAPI R
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment