Part 1: Reject public clients that do not support PKCE
Joseph Heenan
Branch: josephheenan/fapi:require-pkce-for-public-clients
Branch: openid/fapi:master
Merged
Merged pull request
Merged in josephheenan/fapi/require-pkce-for-public-clients (pull request #54)
Part 1 currently says the authorization server 'shall support [RFC7636] with S256 as the code challenge method if it supports public clients'.
RFC7636 section 4.4.1 says "If the server requires Proof Key for Code Exchange ...".
This does not appear to require that the authorisation server rejects public clients that do not support PKCE. I believe such clients should be rejected, so the 'shall support' is changed to 'shall require'.