-
assigned issue to
Make PKCE mandatory for all clients and configure to resist downgrade attacks
Issue #49
resolved
Discussed at Mar 5, 2024 iGov WG, introduced by NL participants: Require all clients use PKCE.
Objectives: Defeat authorization code flow attacks for all clients. Defeat PKCE downgrade attacks.
Suggested iGov Approach: Require use of PKCE for all client types. Require use of S256 code challenge method defined by RFC 7636. Require at least 128 bits of entropy. Carry requirements in code_challenge, code_challenge_method, and code_verifier parameters.
Comments (3)
-
reporter -
- changed status to resolved
A PR is in the pipeline to make PKCCE mandatory
-
reporter Resolved in PR#25
https://bitbucket.org/openid/igov/pull-requests/25 - Log in to comment