m-mohr
commented
3 years ago It seems like authorization code flow also works without PKCE and client secret, so should be added, too.
Closed m-mohr closed 3 years ago
m-mohr
commented
3 years ago It seems like authorization code flow also works without PKCE and client secret, so should be added, too.
soxofaan
commented
3 years ago It seems like authorization code flow also works without PKCE and client secret, so should be added, too.
In what context or with what provider have you observed that?
m-mohr
commented
3 years ago @soxofaan None of ours, but @aljacob mentioned it today, and reading the OAuth 2.0 RFC it is indeed standardized without PKCE and PKCE itself is only an extension.
m-mohr
commented
3 years ago Interestingly, it seems like the R client supports authorization_code without PKCE, but with secret: https://github.com/Open-EO/openeo-r-client/blob/master/R/authentication.R#L99-L101
There's the possibility to support Device Code without PKCE it seems.
Proposal is to extend the list of allowed grant types: https://github.com/Open-EO/openeo-api/blob/master/openapi.yaml#L1859-L1868 with
urn:ietf:params:oauth:grant-type:device_codecc @soxofaan @aljacob