Make PKCE mandatory for all clients and configure to resist downgrade attacks

Discussed at Mar 5, 2024 iGov WG, introduced by NL participants: Require all clients use PKCE.

Objectives: Defeat authorization code flow attacks for all clients. Defeat PKCE downgrade attacks.

Suggested iGov Approach: Require use of PKCE for all client types. Require use of S256 code challenge method defined by RFC 7636. Require at least 128 bits of entropy. Carry requirements in code_challenge, code_challenge_method, and code_verifier parameters.

Comments (3)