Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
Mike Jones <Michael.Jones@microsoft.com> Wed, 06 May 2020 19:35 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49173A0AC2 for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 12:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQWw8O6nbYsx for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 12:35:01 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650098.outbound.protection.outlook.com [40.107.65.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C458C3A0ABC for <oauth@ietf.org>; Wed, 6 May 2020 12:35:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Nu9V/hEuJWGjRj6z3LixNEPy24i+ZpKM2tmyYBrO+KkPINf6q6FkdYcESYiCK7n8LbWB7z0j/usqyND9YyFV4g07qClsTe4kvJ/tG2ioacVEgSr8r/DB0HGcIxRTDLNrVPkXG89H58gygV9TJzO/wR/G8zENNmC8Cp8u3heEJjC15woJS1cmwGdaEHMC3ZF9fGrxD/ZALlMAyU4OSMt7UEF2imOFdXogGebny1CywNDVy0A6tsGRXztaPc+sSwqpXNx9BJgF+tjTZgH3kivXrNF4DY8MUFq5qAipWP3XXN+qdcBzTI+QC8BZGcjuXsL//FuqCBabXuckxG0BONjQSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YQG7HddZ9rsn2n49w6Pltl3AoZr3xMwoctCR+QukFcQ=; b=NgOMeIxL0bO9JauEQgRFw3ZPW7S9x07Qoh2drqLEMibEUK/3mo/M8YZfIQeJUKYk5jKQpF1/fCw+qTSdJbngSOsDfUPrJ7oqjTkZHqU9+amjSgsY8gIRGp9jaUE9kdTMyTTDERZ+GZDFNzdUZf6Y1bFngMXUwbJk+VKLdLeTyvBeoyTNTBKuZzHD9uXzh8V/VJffaHjqz/sXOIhkFY4gctAraIrZT1iC0fV853QmK5HXvtQA27BG8IfF9jxcdjVouep9gFEMH8pPqD5NOOPDlNy2BOSf3V+1xkwz43QVD9SnE650lFpv2/w5dhmOGRToBdFltBfaIqYVI2z9vb0q2A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YQG7HddZ9rsn2n49w6Pltl3AoZr3xMwoctCR+QukFcQ=; b=WihbDg2SM+Ft0GaTOpayWGRzdhEWfqIr++YF5Xi7X2uVTcSiuUAbQjLMFXvFtbxKSanV4f3gI053qBaHYBU9Rc8w3c8Ra7mTO10taIiadNB5OVvwoseesi5XIaXjgLlJYxOa1pWsmFgDOa5UHbfw+g9fx+kaQmQAB4B1IOphLnI=
Received: from CH2PR00MB0679.namprd00.prod.outlook.com (2603:10b6:610:af::7) by CH2PR00MB0796.namprd00.prod.outlook.com (2603:10b6:610:6f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3013.0; Wed, 6 May 2020 19:34:58 +0000
Received: from CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::c8f1:c1e0:dcd6:53b8]) by CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::c8f1:c1e0:dcd6:53b8%9]) with mapi id 15.20.3015.000; Wed, 6 May 2020 19:34:58 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Aaron Parecki <aaron@parecki.com>, Steinar Noem <steinar@udelt.no>
CC: Phillip Hunt <phil.hunt@independentid.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth 2.1 - require PKCE?
Thread-Index: AdYj3WtR+me7qEElQpS5TJ12DTuYaw==
Date: Wed, 06 May 2020 19:34:57 +0000
Message-ID: <CH2PR00MB067972AFDBBCB149BD27B136F5A40@CH2PR00MB0679.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=8cb56d76-0f41-4e22-b3a8-0000077889d7; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-06T19:31:28Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: parecki.com; dkim=none (message not signed) header.d=none;parecki.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e80eda33-fbe2-4d85-162e-08d7f1f48fa4
x-ms-traffictypediagnostic: CH2PR00MB0796:
x-microsoft-antispam-prvs: <CH2PR00MB079692493C7277471854F859F5A40@CH2PR00MB0796.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03950F25EC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AZtrFhKpo5kNwygbHYT8KWaFBJTp4fS3M3viLCwdH0+qigW/c1uoB93VaOUWN1tYJuGCZmSYHR/J4aiDYKj34/IvOnFKMrLnEuOiZbWNEhMKaBHwLy9nHbBuYAGsKMialt/DaG90opi3U5ir8r5EoLTQ20KvJI2NnthV9pWaJR9fUvBIwDUmkq1PA2C4tCf2Lz+24/1WQMZj4x5aQFww3ENthm3pSqlywJXGSjfLpY0oxMaUaqW5Ejr8TrdU28ZqNKYF6LbU2KwJDtsi/+Sz2KDiIjQcPcP6HH0JybBfF/MN3eu2oVCNvhqdx4+OC7XTctonmbwkTxzMlAzyZx7WrXFvLIC5B8WV3MxxchoyyQp9YjJ/uxmBQRu6jEBLIzuEMiuT9ldokz0LExFXKQF3X+1fjuBlQErkLPMj8l21WhEVgEQtIGJVHrkpJFFjWOVBzS1MSU5hE9LO/xG/yr5jpE1Q/j+pgBMHI4tH2PrCgVJyYLS3FFWsCDEQ5FqIi9m+f0O8OxVUSWxPiawE64OGIQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0679.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(376002)(39860400002)(396003)(366004)(33430700001)(8936002)(8676002)(26005)(186003)(55016002)(33440700001)(4326008)(6506007)(66574014)(52536014)(7696005)(9686003)(478600001)(966005)(316002)(8990500004)(53546011)(76116006)(54906003)(10290500003)(33656002)(66446008)(82960400001)(64756008)(5660300002)(66556008)(66476007)(86362001)(82950400001)(110136005)(71200400001)(166002)(2906002)(66946007)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: BDlAVWMgFyw4BH1SMfyHujEeuuikoL/p9PW5X81yVGkPnPzGoAM5nkLwtHr9vUeo5X/XNJz1rlZp5fcffD9KjySUuoI0IgwpF+/OD6/hy/Wzv2vXO1C8VxprbYVRHnhU3yWsgCDmxfqCAGxELz4UWmaa4V6X7TBOIG/EeOWJ+NtizjLJ7udZJs0lKcqxh59yaeFv3IWHvaM1FWR3asp/i1h4yA0dYnSDTBJLziBgr6NVOGJbxHQ8iG37IpPoyvkn3/BN0UVxLEdNxPtAEUYGVzJaw+MIqCfnjcx7/8QZIN6L3oBKQyG7Q6VIGMGuPTOyl3ZczQv3h6GyrOVWGtCkILN9Gr65GIfzDQHGjxCdSXi75oqgWbyHqO31cAz75a4+vYrbdId6G/d6mJo03AEbFIxb1OUf+KQPclLWB58ZhkKGtmuzBQyD6RHIR9ZPKGxKvYk0M61FDbDELG7sfgk2cmeK8l7jYGlfZ7Wc9tByd3Fk2os2AYxS4sfCStG3tGjfiOw2WuJu7cbvbd70/PrsQVeloSydlATqjpQfLo6cFgJmtaeBmwFa4e9hwuBm5EBFKF1PCWeHEzn23gTtmdv8XE3YClsmpKH+6cw0Pk8ChMa4MspNZOaD1U+b+lS/KCrNh7yVcyYR6OM+t3xKE5af5zurMZ8vikYhuj46ifEs9R4pZPVVQnWRfyWnobk7lfQP9B2EwEaT8utFHBSF74gKU9BqFgmbz0xAYbigq+QZRG8rV/s1V1QnDCaOM4c0oNZkysg9cUFxebd79E5ynMs4QBU7uDEZUPgBb+LWJc/o+WQ=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB067972AFDBBCB149BD27B136F5A40CH2PR00MB0679namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0679.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e80eda33-fbe2-4d85-162e-08d7f1f48fa4
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2020 19:34:57.6640 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: o92lwYiBwd0iJw8QJj+IZWHYc9EUh0umC2liOKrmotVDU81nszKlFrTCPotA2oAhCkRJ6EPRH/LFU17sjuqNBA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0796
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jj9cPgUgMtNFzLDhWIZT7xP-M98>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 19:35:04 -0000
Yes, FAPI requires PKCE, which is great. Many of its requirements come from OpenID Connect but some of them are intentionally incompatible – such as requiring that Basic authentication not be supported, whereas Connect requires that it be supported. It’s a different ecosystem with different requirements. Don’t get me wrong, I support PKCE where it makes sense, such as when you’re doing bare OAuth without OpenID Connect. But trying to impose an unnecessary requirement on a working and secure ecosystem will just create grief for us and our customers and lessen our credibility as stewards of the OAuth ecosystem. -- Mike From: Aaron Parecki <aaron@parecki.com> Sent: Wednesday, May 6, 2020 12:29 PM To: Steinar Noem <steinar@udelt.no> Cc: Phillip Hunt <phil.hunt@independentid.com>; Mike Jones <Michael.Jones@microsoft.com>; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE? I should add that even some OpenID Connect profiles require PKCE, such as FAPI: https://openid.net/specs/openid-financial-api-part-1.html#authorization-server So the precedent for requiring PKCE already exists within some OpenID Connect profiles. On Wed, May 6, 2020 at 12:23 PM Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote: Yes, and also, many of those providers very likely already support PKCE already. Skimming through that list of certified OPs, I recognize many names there from providers that I know support PKCE. On Wed, May 6, 2020 at 12:18 PM Steinar Noem <steinar@udelt.no<mailto:steinar@udelt.no>> wrote: So, wouldn't a MUST just mean that we would have some OPs that are 2.1 compliant and some that aren't? ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt <phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>>: Mike, The point of 2.1 is to raise the security bar.. Yes it adds new MUST requirements. But what about OIDC would break other than required implementation of PKCE to support 2.1? Eg Would additional signaling be required to facilitate interoperability and migration between versions? Would that be an oauth issue or an OIDC one? Phil On May 6, 2020, at 11:56 AM, Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote: > In particular, authorization servers shouldn’t be required to support PKCE when they already support the OpenID Connect nonce. The Security BCP already requires that ASs support PKCE: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 Are you suggesting that the Security BCP change that requirement as well? If so, that's a discussion that needs to be had ASAP. If not, then that's an implicit statement that it's okay for OpenID Connect implementations to not be best-practice OAuth implementations. And if that's the case, then I also think it's acceptable that they are not complete OAuth 2.1 implementations either. On Wed, May 6, 2020 at 11:21 AM Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote: The disadvantage of requiring PKCE for OpenID Connect implementations is that you’re trying to add a normative requirement that’s not required of OpenID Connect deployments today, which would bifurcate the ecosystem. There are hundreds of implementations (including the 141 certified ones at https://openid.net/certification/), none of which have ever been required to support PKCE. Therefore, most don’t. Per feedback already provided, I believe that OAuth 2.1 should align with the guidance already in the draft Security BCP, requiring EITHER the use of PKCE or the OpenID Connect nonce. Trying to retroactively impose unnecessary requirements on existing deployments is unlikely to succeed and will significantly reduce the relevance of the OAuth 2.1 effort. In particular, authorization servers shouldn’t be required to support PKCE when they already support the OpenID Connect nonce. And clients shouldn’t reject responses from servers that don’t support PKCE when they do contain the OpenID Connect nonce. Doing so would unnecessarily break things and create confusion in the marketplace. -- Mike From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of Dick Hardt Sent: Wednesday, May 6, 2020 10:48 AM To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: [OAUTH-WG] OAuth 2.1 - require PKCE? Hello! We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce solves some of the issues that PKCE protects against. We think that most OpenID Connect implementations also support OAuth 2.0, and hence have support for PKCE if following best practices. The advantages or requiring PKCE are: - a simpler programming model across all OAuth applications and profiles as they all use PKCE - reduced attack surface when using S256 as a fingerprint of the verifier is sent through the browser instead of the clear text value - enforcement by AS not client - makes it easier to handle for client developers and AS can ensure the check is conducted What are disadvantages besides the potential impact to OpenID Connect deployments? How significant is that impact? Dick, Aaron, and Torsten [https://mailfoogae..appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=452438ba-d429-4656-ace9-b284744bc171]ᐧ _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no<mailto:steinar@udelt.no> | hei@udelt.no<mailto:hei@udelt.no> | +47 955 21 620 | www.udelt.no<http://www.udelt.no/> |
- [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Steinar Noem
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Philippe De Ryck
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Daniel Fett
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dominick Baier
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt