Re: [OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP

Sascha Preibisch <> Wed, 06 May 2020 21:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F221F3A0437 for <>; Wed, 6 May 2020 14:38:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KSDLRwfNkegx for <>; Wed, 6 May 2020 14:38:07 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2B8663A0366 for <>; Wed, 6 May 2020 14:38:07 -0700 (PDT)
Received: by with SMTP id v4so5921699wme.1 for <>; Wed, 06 May 2020 14:38:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=C3inm/Yz6h/0qd+/Rw8tlbQY0upF4tQe8GjAZcIVCYQ=; b=BBmashBp+S2Z3COe83tO4HSPs88fWTDYOpfzuyxIumCE0LZHXWv+pFPfUINdN+3Mkj aOPXxWpPDN992WXYiM+MKtSKG4A8b4WLi526QvAWDV4ViVlReHJjsot2yfl2GBwjsrdI 7gITG3EMGd+oXnw/PLGyFRSupE2SJcTfCaWpaHB7QedK2ItOQOU1a4z4wlP7r8DM7x9i tJ2OUwcXCQw7BlEvnIhl/iAICIV0EoMKfV4Zelg/zrG8n9PvaOHbYZOjx562pwjiwIbD xJsuc40sCVySethxDrO9qVKeoAUj58xzChK0XgJNqFUlCUYHX9wyJxmzTFH/nWJZGBc3 cMDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=C3inm/Yz6h/0qd+/Rw8tlbQY0upF4tQe8GjAZcIVCYQ=; b=E/gtQIDOVf1jSkegH1UDMMqN+DXGjQZpHLJgLN4XDqhgninr0WReFNoGeOdS4+xbta 2bSHI12UPlZDSW62sds87aew0uq1VGOvw7+eawQTTTEnbX3KdHLNYWoGeTH2fsmWXRGf 8eGpiABkztJlHdTz3EfK7rK9SBqIu4HXl8Yi7rLQnnbXuGEbpBXqjHB1VPq9YrEjvgmI jbAU0sbMDCcBgYM7c7GXBYW+2VE3GummBe79YRqh3+vWLfJYzc7EWFuUWL/weJ5QpstE r84sLQcts88NCzFqu72u+MZhAXbgM2hVpRiOHtid73TgPFgYuUaOifj7l7MlorrUsJlA 7ECw==
X-Gm-Message-State: AGi0PubNlHjYCOrZojipZYl06M17TdrMVTZQnwRhpWKtskgY2Na0DMKd M6Cz4wsgN83AwoK58RGqyDslcm+RqT3A0HXmb1jubV2n
X-Google-Smtp-Source: APiQypKnQYleKd4+JJdmziqei0L1GpgUZTm3ngr7WXoIb+Do+futT+q/k03Vk6x5Rm4t7lIfNq3p6hNRxDwS6unBs0Q=
X-Received: by 2002:a1c:808c:: with SMTP id b134mr6895924wmd.131.1588801085620; Wed, 06 May 2020 14:38:05 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Sascha Preibisch <>
Date: Wed, 06 May 2020 14:37:22 -0700
Message-ID: <>
To: Mike Jones <>
Cc: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 May 2020 21:38:09 -0000

The document is called "...Best Current Practice ..." and includes
recommendations. Could it be sufficient to say "Authorization servers
support PKCE" in section 2.1.1?  I believe MUST and other such terms
may not necessarily belong into such document.


On Wed, 6 May 2020 at 14:04, Mike Jones
<> wrote:
> As is being discussed in the thread “[OAUTH-WG] OAuth 2.1 - require PKCE?”, has inconsistent requirements for PKCE support between clients and servers.  Per the first paragraph, clients must either use PKCE or use the OpenID Connect nonce to prevent authorization code injection.  Whereas the fourth paragraph says “Authorization servers MUST support PKCE [RFC7636].”.  This imposes a requirement on servers that isn’t present for corresponding clients.  (I missed this internal discrepancy within the specification when I did my review.)
> I therefore request that the fourth paragraph by change to read: “OAuth Servers MUST support PKCE [RFC7636] unless they are only used for OpenID Connect Authentication Requests”, making the requirements on clients and servers parallel.  That way PKCE will still be there unless you don’t need it.  (And it still could be there if the server implementer chooses to have it in all cases, but that should be their call.)
>                                                        Thank you,
>                                                        -- Mike
> _______________________________________________
> OAuth mailing list