Spec says Authorization Server shall support both public and confidential clients;
Issue #73
closed
However some implementations may only want to support confidential clients.
Comments (8)
-
-
On the related thing, needs for PKCE support can be optional. Having said that, since PKCE will prevent the privillage escalation by the
code
swap, it is better to have PKCE. -
Re:
#73→ <<cset 8d420fd67b79>>
-
What about "... shall support confidential clients and may support public clients .... "?
-
- changed status to closed
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
At the time of the writing, I was assuming that banks are going to support mobile clients as well, but they apparently are not. Then, this requirement can be too demanding. We probably want to introduce some conditionals such as:
Authorization Server shall support confidential clients if it supports web server based clients. Authorization Server shall support public clients if it supports mobile clients. etc.