The draft in Sections 5 and 6 refers to the security BCP:
The Authorization Endpoint is used in the same manner as defined in [RFC6749], taking into account the recommendations given in [I-D.ietf-oauth-security-topics].
The Token Endpoint issues an Access Token and, optionally, a Refresh Token in exchange for the Authorization Code that Client obtained in a successful Authorization Response. It is used in the same manner as defined in [RFC6749] and follows the recommendations given in [I-D.ietf-oauth-security-topics].
This wording is misleading, as not all protections mentioned in the BCP are mentioned here (e.g., PKCE is only implied in Section 6; the PKCE downgrade attack mitigation is not mentioned).
This may lead to implementers not implementing necessary security mechanisms.
The draft in Sections 5 and 6 refers to the security BCP:
This wording is misleading, as not all protections mentioned in the BCP are mentioned here (e.g., PKCE is only implied in Section 6; the PKCE downgrade attack mitigation is not mentioned).
This may lead to implementers not implementing necessary security mechanisms.