Closed acoburn closed 3 years ago
The discussion on this issue is ongoing in the Authentication Panel.
@acoburn please re-open if latest draft doesn't address this issue https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md
The current WebID-OIDC protocol definition does not mention PKCE as a mechanism for securing authentication tokens. There are good reasons why this should be used in the interaction between a client (relying party) and identity provider (it helps to avoid replay attacks in the token request interaction).
Should this mechanism be required by the WebID-OIDC specification?