Vladimir Dzhuvinov <> Thu, 23 April 2020 07:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 005CB3A1680 for <>; Thu, 23 Apr 2020 00:55:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bGvoA0-DtvAs for <>; Thu, 23 Apr 2020 00:55:01 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4965A3A167B for <>; Thu, 23 Apr 2020 00:55:01 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPSA id RWh2jhEUp9JjyRWh4jg5f2; Thu, 23 Apr 2020 00:55:00 -0700
X-CMAE-Analysis: v=2.3 cv=ZO6pZkzb c=1 sm=1 tr=0 a=FNQ4XmqxRr20pcroDK0mpg==:117 a=FNQ4XmqxRr20pcroDK0mpg==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=BqEg4_3jAAAA:8 a=Vq__D_9_wrZ_-0_00VMA:9 a=QEXdDO2ut3YA:10 a=gNR8PH0IMfoA:10 a=RQUf42KgQNQA:10 a=6Hd0po06xlgA:10 a=3aknrV82MZcA:10 a=UM_DoP-0AAAA:8 a=NqJpTMeShTPr8V1-VBAA:9 a=H3iPujJrdPWw1yro:21 a=_W_S_7VecoQA:10 a=ZkqgyM_Zep0A:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=0mFWnFbQd5xWBqmg7tTt:22 a=TEVHQOIvcflanWNqQbWu:22
References: <>
From: Vladimir Dzhuvinov <>
X-Enigmail-Draft-Status: N11100
Organization: Connect2id Ltd.
Message-ID: <>
Date: Thu, 23 Apr 2020 10:54:42 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms050205010408080809080406"
X-CMAE-Envelope: MS4wfCxRNsF58t+FsENFmYM0ewTUwBPLdxjgB99q/0LOBTkKWqYV0d4QuCBnQrLIS18Ne1y6uteSPYwqa48X8NsUN8qySkqqNY03YFp7+r3sQNmjXM5nFWkX Pt5uPOh1u6oEB+iMZJfiRgd/avCXEoqSTh1Xe9nOgZP7Eu+zu/oPFqQy
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth GREASE
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Apr 2020 07:55:03 -0000

I get your frustration with PKCE. It would be a bad policy and example
to burden compliant ASes with additional stuff just because a few AS
implementations are not complying with the spec. It's not fair and can
end up creating all sorts of bad incentives in future.


On 22/04/2020 10:29, Neil Madden wrote:
> Section 3.1 of RFC 6749 says (of the authorization endpoint):
> The authorization server MUST ignore
>    unrecognized request parameters.
> We hoped to be able to use this to opportunistically apply PKCE -
> always send a code_challenge in the hope that the AS supports it and
> there should be no harm if it doesn’t. 
> Sadly I learned yesterday of yet another public AS that fails hard if
> the request contains unrecognised parameters. It appears this part of
> the spec is widely ignored. 
> Given that this hampers the ability to add new request parameters in
> future, do we need our own GREASE to prevent these joints rusting tight?
> <>
> — Neil