Closed m-mohr closed 3 years ago
It seems like authorization code flow also works without PKCE and client secret, so should be added, too.
It seems like authorization code flow also works without PKCE and client secret, so should be added, too.
In what context or with what provider have you observed that?
@soxofaan None of ours, but @aljacob mentioned it today, and reading the OAuth 2.0 RFC it is indeed standardized without PKCE and PKCE itself is only an extension.
Interestingly, it seems like the R client supports authorization_code without PKCE, but with secret: https://github.com/Open-EO/openeo-r-client/blob/master/R/authentication.R#L99-L101
There's the possibility to support Device Code without PKCE it seems.
Proposal is to extend the list of allowed grant types: https://github.com/Open-EO/openeo-api/blob/master/openapi.yaml#L1859-L1868 with
urn:ietf:params:oauth:grant-type:device_code
cc @soxofaan @aljacob